Bugzilla Product Name Enumeration

2005-05-12T08:28:45
ID OSVDB:16425
Type osvdb
Reporter Marc Schumann(), Frédéric Buclin(), Gervase Markham(), Roman Pszonka(), Myk Melez(), Joel Peshkin(bugreport@peshkin.net)
Modified 2005-05-12T08:28:45

Description

Vulnerability Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user correctly guesses the name of a product that should be invisible to them. When this occurs, the user will be informed that they do not have access to the product, which will disclose that it exists, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.16.9 or higher, version 2.18.1 or higher, or 2.19.3 or higher, as these versions have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user correctly guesses the name of a product that should be invisible to them. When this occurs, the user will be informed that they do not have access to the product, which will disclose that it exists, resulting in a loss of confidentiality.

References:

Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=287109 Vendor Specific Advisory URL Secunia Advisory ID:15338 Related OSVDB ID: 16427 Related OSVDB ID: 16426 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0144.html CVE-2005-1563