[UNIX] Bugzilla Multiple Information Leak

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Bugzilla Multiple Information Leak
------------------------------------------------------------------------

SUMMARY

" <http://www.bugzilla.org> Bugzilla is a "Defect Tracking System" or
"Bug-Tracking System". Defect Tracking Systems allow individual or groups
of developers to keep track of outstanding bugs in their product
effectively."

Bugzilla does not validate properly settings before allowing unprivileged
users to obtain restricted data that only authenticated users can see and
expose users status on the system when configured not to.

DETAILS

Vulnerable Systems:
* Bugzilla version 2.18.3
* Bugsilla version 2.20rc2
* Bugzilla version 2.21

Immune Systems:
* Bugzilla version 2.16
* Bugzilla version 2.20

Information Leak 1:
config.cgi gives JavaScript and RDF information about Bugzilla to
third-party clients, including a list of products in the Bugzilla
installation. The "requirelogin" parameter requires that all people be
logged into Bugzilla before seeing any data, as a security measure.

In affected versions, config.cgi is always accessible, and always contains
information to non-logged-in users, even when "requirelogin" is turned on,
possibly exposing product names that administrators expected to be
confidential.

Information Leak 2:
Bugzilla contains features to prevent users from "seeing" other users,
enabled by the "usevisibilitygroups" parameter. Bugzilla also contains a
feature called "user matching," which enables users to type in part of a
username and get back a list of possible matches.

If user matching is turned on and is in "substring" mode, all matching
users will be returned to a query, regardless of the visibility groups
settings, exposing users who should be invisible.

Vendor Status:
The vendor has wrote the following: "The fixes for all of the security
bugs mentioned in this advisory are included in the 2.18.4, 2.20, and
2.21.1 releases. Upgrading to these releases will protect installations
from possible exploits of these issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
<http://www.bugzilla.org/download/> http://www.bugzilla.org/download/

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above."

ADDITIONAL INFORMATION

The information has been provided by <mailto:mkanat@bugzilla.org> mkanat.
The bug reports can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=308256>
https://bugzilla.mozilla.org/show_bug.cgi?id=308256,
<https://bugzilla.mozilla.org/show_bug.cgi?id=308662>
https://bugzilla.mozilla.org/show_bug.cgi?id=308662

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.