bugzilla -- "createmailregexp" security bypass vulnerability

ID F8D3689E-6770-11DC-8BE8-02E0185F8D72
Type freebsd
Reporter FreeBSD
Modified 2010-05-12T00:00:00


The Bugzilla development team reports:

Bugzilla::WebService::User::offer_account_by_email does not check the "createemailregexp" parameter, and thus allows users to create accounts who would normally be denied account creation. The "emailregexp" parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled).