Vulnerabilities > CVE-2007-0792 - HTML Injection And Information disclosure vulnerability in Mozilla Bugzilla 2.23.3

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

mozilla

NVD

Published: 2007-02-06

Updated: 2018-10-16

Summary

The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct request for the localconfig file.

Vulnerable Configurations

Part	Description	Count
Application	Mozilla Mozilla Bugzilla 2.23.3	1

References

http://osvdb.org/35862
http://securityreason.com/securityalert/2222
http://securitytracker.com/id?1017585
http://www.bugzilla.org/security/2.20.3/
http://www.securityfocus.com/archive/1/459025/100/0/threaded
http://www.securityfocus.com/bid/22380
http://www.vupen.com/english/advisories/2007/0477
https://exchange.xforce.ibmcloud.com/vulnerabilities/32252