Multiple Bugzilla Bugs Squashed
Servers
SHARE
Facebook X Pinterest WhatsApp

Multiple Bugzilla Bugs Squashed

Written By
Ryan Naraine
Ryan Naraine
Oct 23, 2006
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Multiple security flaws in Bugzilla could put users of the software-defect–tracking product at risk of cross-site scripting, data manipulation and data exposure attacks.

According to a warning from the Mozilla Foundations open-source Bugzilla project, users should immediately upgrade to versions 2.18.6, 2.20.3, 2.22.1 or 2.23.3 to minimize the risk of malicious attacks.

Security alerts aggregator Secunia on Oct. 16 rated the vulnerabilities as “moderately critical.”

The most serious vulnerability occurs because Bugzilla does not properly sanitize various fields when embedded in certain HTML headline tags.

“This can be exploited to execute arbitrary HTML and script code in a users browser session in [the] context of an affected site,” Secunia analysts warned.

A second error that happens when attachments in “diff” mode are viewed could let unauthenticated users read the descriptions of all attachments.

In addition, when exporting bugs to the XML format, the “deadline” field also is visible to users who are not members of the “timetracking-group” group. This can be exploited to gain knowledge of potentially sensitive information, Secunia analysts explained. This could allow a malicious user to pass a URL to an administrator and make the administrator delete or change something that he or she had not intended to delete or change.

Unpatched versions of Bugzilla also allow users to perform certain sensitive actions via HTTP GET and POST requests without verifying the users request properly. This can be exploited to modify, delete or create bugs.

Bugzilla is a free, Web-based tool used by software developers to track code bugs and defects, and it is widely used in the open-source community. According to Bugzillas Web site, it has been identified as being used by 546 companies, organizations and projects.

The free software projects that use Bugzilla include the Linux kernel, GNOME, KDE, Apache, OpenOffice.org and Eclipse.

Bugzilla also is used in major Linux distributions from Red Hat, Mandriva, Gentoo Foundation, Turbo-linux and Novells SUSE unit.

Major companies and government agencies that use Bugzilla include Ximian, NASA and Id Software.
Ryan Naraine
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information