Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Bugzilla | Mozilla | 3.5.1 (including) | 3.5.1 (including) |
Bugzilla | Mozilla | 3.5.2 (including) | 3.5.2 (including) |
Bugzilla | Mozilla | 3.5.3 (including) | 3.5.3 (including) |
Bugzilla | Mozilla | 3.6 (including) | 3.6 (including) |
Bugzilla | Mozilla | 3.7 (including) | 3.7 (including) |
Bugzilla | Ubuntu | upstream | * |