Vulnerabilities > CVE-2009-3166 - Credentials Management vulnerability in Mozilla Bugzilla 3.4/3.4.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201006-19.NASL description The remote host is affected by the vulnerability described in GLSA-201006-19 (Bugzilla: Multiple vulnerabilities) Multiple vulnerabilities have been reported in Bugzilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might be able to disclose local files, bug information, passwords, and other data under certain circumstances. Furthermore, a remote attacker could conduct SQL injection, Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via various vectors. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 46808 published 2010-06-04 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46808 title GLSA-201006-19 : Bugzilla: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201006-19. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(46808); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-4437", "CVE-2008-6098", "CVE-2009-0481", "CVE-2009-0482", "CVE-2009-0483", "CVE-2009-0484", "CVE-2009-0485", "CVE-2009-0486", "CVE-2009-1213", "CVE-2009-3125", "CVE-2009-3165", "CVE-2009-3166", "CVE-2009-3387", "CVE-2009-3989"); script_bugtraq_id(30661, 32178, 34308, 36371, 36373, 38025, 38026); script_xref(name:"GLSA", value:"201006-19"); script_name(english:"GLSA-201006-19 : Bugzilla: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201006-19 (Bugzilla: Multiple vulnerabilities) Multiple vulnerabilities have been reported in Bugzilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might be able to disclose local files, bug information, passwords, and other data under certain circumstances. Furthermore, a remote attacker could conduct SQL injection, Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via various vectors. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201006-19" ); script_set_attribute( attribute:"solution", value: "All Bugzilla users should upgrade to an unaffected version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/bugzilla-3.2.6' Bugzilla 2.x and 3.0 have reached their end of life. There will be no more security updates. All Bugzilla 2.x and 3.0 users should update to a supported Bugzilla 3.x version." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(22, 79, 89, 255, 264, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bugzilla"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/bugzilla", unaffected:make_list("ge 3.2.6"), vulnerable:make_list("lt 3.2.6"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Bugzilla"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B9EC7FE3A38A11DE9C6B003048818F40.NASL description A Bugzilla Security Advisory reports : - It is possible to inject raw SQL into the Bugzilla database via the last seen 2020-06-01 modified 2020-06-02 plugin id 41007 published 2009-09-18 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/41007 title FreeBSD : bugzilla -- two SQL injections, sensitive data exposure (b9ec7fe3-a38a-11de-9c6b-003048818f40) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(41007); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_cve_id("CVE-2009-3125", "CVE-2009-3165", "CVE-2009-3166"); script_name(english:"FreeBSD : bugzilla -- two SQL injections, sensitive data exposure (b9ec7fe3-a38a-11de-9c6b-003048818f40)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A Bugzilla Security Advisory reports : - It is possible to inject raw SQL into the Bugzilla database via the 'Bug.create' and 'Bug.search' WebService functions. - When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password." ); # http://www.bugzilla.org/security/3.0.8/ script_set_attribute( attribute:"see_also", value:"https://www.bugzilla.org/security/3.0.8/" ); # https://vuxml.freebsd.org/freebsd/b9ec7fe3-a38a-11de-9c6b-003048818f40.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a3a0aa66" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(89, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:bugzilla"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"bugzilla>3.3.1<3.4.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 36372 CVE(CAN) ID: CVE-2009-3166 Bugzilla是很多软件项目都在使用的基于Web的BUG跟踪系统。 由于$cgi->query_string在不合适的情况下返回了POST变量,用户在重置口令后立即重新登录时,浏览器的URL中会泄露口令,这也意味着Bugzilla Webserver的日志中和登录后立即点击链接的页面Referer头中可能会出现口令。 Mozilla Bugzilla 3.4 厂商补丁: Mozilla ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.2.tar.gz |
| id | SSV:12301 |
| last seen | 2017-11-19 |
| modified | 2009-09-16 |
| published | 2009-09-16 |
| reporter | Root |
| title | Mozilla Bugzilla URL口令信息泄露漏洞 |
References
- http://secunia.com/advisories/36718
- http://secunia.com/advisories/36718
- http://www.bugzilla.org/security/3.0.8/
- http://www.bugzilla.org/security/3.0.8/
- http://www.securityfocus.com/bid/36372
- http://www.securityfocus.com/bid/36372
- http://www.securitytracker.com/id?1022902
- http://www.securitytracker.com/id?1022902
- https://bugzilla.mozilla.org/show_bug.cgi?id=508189
- https://bugzilla.mozilla.org/show_bug.cgi?id=508189