Spotlight | Reviews | Current Issue | Academy | Newsletter | Subscribe | Shop |
Departments

Partner Links
Make your own website
WinWeb OnlineOffice
Comparing prices of hardware is worth it.
Price Comparison
UK Linux Jobs
What:
Where:
Country:
vacatures Netherlands njobs Linux vacatures
arbeit Deutschland njobs Linux arbeit
work United Kingdom njobs Linux jobs
Lavoro Italia njobs Linux lavoro
Emploi France njobs Linux emploi
trabajo Espana njobs Linux trabajo

user friendly

Admin Magazine

ADMIN Network & Security

Subscribe now and save!

ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:

  • network security
  • system management
  • troubleshooting
  • performance tuning
  • virtualization
  • cloud computing

 

on Windows, Linux, Solaris, and popular varieties of Unix.

http://www.admin-magazine.com/

  linux-magazine.com » Online » News » XSS Error in Bugzilla Removed  

Print this page. Recommend
Share

XSS Error in Bugzilla Removed

The developers of the free Bugzilla bug management system have fixed several bugs including a vulnerability that enabled cross site scripting attacks.

In the current security advisory for the Bugzilla bug management system the developers report that three vulnerabilities have been closed. One bug let attackers trick users into visiting a rogque website if the user viewed bugs in the "Format for Printing", or extended view. For more information on the cross site scripting vulnerability read security report 425665.

An error in the XML-RPC interface gave arbitrary users the ability to create new bug reports with "NEW" or "ASSIGNED" status. Normally users require "canconfirm" privileges for this. The developers classified the third bug as less critical. It gave users the ability to use fake names. A lack of authentication in the "email_in.pl" module gave users the ability to manipulate the FROM header.

The bugs affected Bugzilla prior to version 3.0.4, 3.1.4, 2.22.4 and 2.20.6. Patches and how-tos on fixing the bugs are available on bugzilla.org/download. You can also download a full release from the same site.

(Jan Rähm)

Comments


Print this page. Recommend
Share
Related Articles
Security Holes: Bugzilla Recommends Update
Firefox 2.0.0.8 does not Close all the Gaps and Adds Some New Ones
Gimp 2.6.2 Release Brings Major Bug Fixes
MySQL Founder Warns 5.1 Not Ready
Bugzilla 3.2 Has Oracle Linkup and Better Services
Tor Software Down to Zero Bugs
Special Linux Magazine 3 for 1 Offer

Get 3 Issues + 3 DVDs for the price of a single issue!

Let Linux Magazine's hands-on, technical articles guide you in your daily Linux use. Check out bonus DVDs like Ubuntu, SUSE, or Fedora and save the download.

Only available for a limited time. Don't miss out!

more...