Info

Disclosure

May 12, 2005

Discovery

Unknown

Dates

Exploit

May 12, 2005

Solution

Unknown

Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user correctly guesses the name of a product that should be invisible to them. When this occurs, the user will be informed that they do not have access to the product, which will disclose that it exists, resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 2.16.9 or higher, version 2.18.1 or higher, or 2.19.3 or higher, as these versions have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Mozilla Organization	Bugzilla	2.18
		2.19.1
		2.19.2
		2.16.8
		2.19.3
		2.18.1
		2.16.9

References

Secunia Advisory ID: 15338
Related OSVDB ID: 16426 16427
CVE ID: 2005-1563 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0144.html
Vendor Specific Advisory URL: http://www.bugzilla.org/security/2.16.8/
Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=287109

Credit

Roman Pszonka -
Gervase Markham -
Frédéric Buclin -
Myk Melez -
Joel Peshkin - bugreportpeshkin.net -
Marc Schumann -

Direct URL: http://osvdb.org/16425

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Mozilla Organization

Bugzilla

References

Credit