Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field.
Software | From | Fixed in |
---|---|---|
mozilla / bugzilla | 3.5.1 | 3.5.1.x |
mozilla / bugzilla | 3.5.2 | 3.5.2.x |
mozilla / bugzilla | 3.5.3 | 3.5.3.x |
mozilla / bugzilla | 3.6 | 3.6.x |
mozilla / bugzilla | 3.7 | 3.7.x |