FreeBSD : Bugzilla -- Directory Traversal in (1d96305d-6ae6-11dd-91d5-000c29d47fd7)

High Nessus Plugin ID 33904


The remote FreeBSD host is missing one or more security-related updates.


A Bugzilla Security Advisory reports :

When importing bugs using, the --attach_path option can be specified, pointing to the directory where attachments to import are stored. If the XML file being read by contains a malicious ../relative_path/to/local_file node, the script follows this relative path and attaches the local file pointed by it to the bug, making the file public. The security fix makes sure the relative path is always ignored.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 33904

File Name: freebsd_pkg_1d96305d6ae611dd91d5000c29d47fd7.nasl

Version: $Revision: 1.12 $

Type: local

Published: 2008/08/17

Modified: 2015/05/13

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:bugzilla, p-cpe:/a:freebsd:freebsd:ja-bugzilla, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2008/08/15

Vulnerability Publication Date: 2008/06/03

Reference Information

CVE: CVE-2008-4437

CWE: 22