Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Wiki, Collaborationware :: web5723.htm

Bugzilla remote command injection
2nd Oct 2002 [SBWID-5723]

	Bugzilla remote command injection


	All 2.14 and 2.16 releases up to 2.14.4 / 2.16.1


	In Bugzilla security advisory by Dave Miller :


	- Permissions leak when using "usebuggroups" and more  than  47  groups;
	permissions are granted to users in higher groups  when  they  shouldn't
	be.  (bug  167485;  comment   12   has   additional   detection/recovery


	-  calls   processmail   insecurely;   command
	injection possible. (bug 163024)

	The following additional security issue was fixed in 2.16.1:

	- Apostrophes are not properly  handled  during  account  creation;  SQL
	injection possible. (bug 165221)



	See Bugzilla branch 2.14.4 / 2.16.1

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH