A Bugzilla Security Advisory reports:
- Normally, information about time-tracking (estimated
hours, actual hours, hours worked, and deadlines) is
restricted to users in the "time-tracking group".
However, any user was able, by crafting their own
search URL, to search for bugs based using those
fields as criteria, thus possibly exposing sensitive
time-tracking information by a user seeing that a bug
matched their search.
- If $use_suexec was set to "1" in the localconfig file,
then the localconfig file's permissions were set as
world-readable by checksetup.pl. This allowed any user
with local shell access to see the contents of the file,
including the database password and the site_wide_secret
variable used for CSRF protection.