Red Hat NETSCAPE ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR Manual de usuario descargar pdf (Pagina 13)

NIPC CyberNotes #2002-12 Page 13 of 33 06/17/2002

Vendor

Operating

System

Software

Name

Vulnerability/

Impact

Patches/Workarounds/

Alerts

Common

Name

Risk*

Attacks/

Scripts

Mozilla

59

Multiple Bugzilla

2.14, 2.14.1

Several vulnerabilities exist

which could let a remote

malicious user obtain

sensitive information. A

vulnerability exists in the

‘queryhelp.cgi’ script because

it does not observe any

restrictions that may be set on

the display of products in the

Bugzilla database; it is

possible for a malicious user

to bypass the IP check by

setting up a fake reverse DNS,

if the Bugzilla web server

was configured to do reverse

DNS lookups; a vulnerability

exists because in some

situations the data directory

became world writeable; a

vulnerability exists because a

malicious user with access to

'editusers.cgi' could delete a

user regardless of whether

'allowuserdeletion' is on; a

Cross-Site Scripting

vulnerability exists because

real names are not HTML

filtered; a vulnerability exits

because a mass change will

set the groupset of every bug

to be the same groupset of the

first bug; a vulnerability exits

because Bugzilla does not

handle encoding from some

browsers which could lead to

unexpected consequences; and

a vulnerability exists because

it is possible for random

confidential information to be

divulged, if the shadow

database is in use and

becomes corrupted.

Upgrade available at:

http://ftp.mozilla.org/pub/we

btools/bugzilla-2.14.2.tar.gz

Multiple

Bugzilla

Security

Medium Bug discussed

in newsgroups

and websites.

Many of these

vulnerabilities

can be

exploited via a

web browser.

59

Bugzilla Security Advisory, June 8, 2002.

1 2 ... 8 9 10 11 12 13 14 15 16 17 18 ... 32 33

Comentarios a estos manuales

Sin comentarios