bugzilla -- information disclosure

ID F1331504-8849-11DF-89B8-00151735203A
Type freebsd
Reporter FreeBSD
Modified 2010-06-24T00:00:00


A Bugzilla Security Advisory reports:

Normally, information about time-tracking (estimated hours, actual hours, hours worked, and deadlines) is restricted to users in the "time-tracking group". However, any user was able, by crafting their own search URL, to search for bugs based using those fields as criteria, thus possibly exposing sensitive time-tracking information by a user seeing that a bug matched their search. If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl. This allowed any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection.