FreeBSD : bugzilla -- information disclosure (f1331504-8849-11df-89b8-00151735203a)
Medium Nessus Plugin ID 47601
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionA Bugzilla Security Advisory reports :
- Normally, information about time-tracking (estimated hours, actual hours, hours worked, and deadlines) is restricted to users in the 'time-tracking group'. However, any user was able, by crafting their own search URL, to search for bugs based using those fields as criteria, thus possibly exposing sensitive time-tracking information by a user seeing that a bug matched their search.
- If $use_suexec was set to '1' in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl. This allowed any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection.
SolutionUpdate the affected package.