Bugzilla < 3.0.2 / 3.1.2 WebService/User.pm Authentication Bypass
Medium Nessus Network Monitor Plugin ID 4219
SynopsisThe remote host is vulnerable to a flaw that allows for the bypassing of authentication.
DescriptionThe remote host is running Bugzilla, a bug-tracking software with a web interface. The version of Bugzilla on the remote host suffers from a flaw when parsing input to the 'createemailregexp' parameter of the 'offer_account_by_email()' function in the 'WebService/User.pm' file. An attacker exploiting this flaw would need to know that the SOAP::Lite Perl module was installed. Successful exploitation would result in the attacker being able to create arbitrary Bugzilla user accounts.
SolutionUpgrade to version 3.0.2, 3.1.2 or higher.