BugZilla BugList.CGI SQL Query Manipulation Vulnerability

BugZilla BugList.CGI SQL Query Manipulation Vulnerability

Bugzilla is the bug tracking software package by the Mozilla project. It can be configured to run on Microsoft Windows and various Unix/Linux platforms.

A vulnerability exists in the buglist.cgi script which may allow a remote attacker to modify the logic of an SQL query. Due to lack of input validation, it is possible to append arbitrary SQL to the WHERE part of a query. This may permit to the attacker to execute commands on the database.