You are here

U-251: Bugzilla LDAP Injection and Information Disclosure Vulnerabilities

September 5, 2012 - 6:00am

Addthis

PROBLEM:

Bugzilla LDAP Injection and Information Disclosure Vulnerabilities

PLATFORM:

Bugzilla 2.x
Bugzilla 3.x
Bugzilla 4.x

ABSTRACT:

Bugzilla is prone to an LDAP-injection vulnerability and an information-disclosure vulnerability

reference LINKS:

Bugzilla Homepage
Bugzilla Security Advisory
Bugtraq ID:  55349 
Secunia Advisory SA50433
CVE-2012-3981
CVE-2012-4747

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability and a security issue have been reported, which can be exploited by malicious people to disclose potentially sensitive information and manipulate certain data.

1) Input passed via the username is not properly escaped before being used in a LDAP query and can be exploited to inject LDAP statements.

2) A security issue due to the application not restricting directory browsing access to extensions can be exploited to disclose the source code of templates.

Impact:

Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Solution:

The vendor has issued a fix.  Update to version 3.6.11, 4.0.8, 4.2.3, or 4.3.3.

 

Addthis