CVE-2007-0792 Information

Description

The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions which allows remote attackers to obtain the database username and password via a direct request for the localconfig file.

Reference

http://osvdb.org/35862 http://securityreason.com/securityalert/2222 http://securitytracker.com/id?1017585 http://www.bugzilla.org/security/2.20.3/ http://www.securityfocus.com/archive/1/459025/100/0/threaded http://www.securityfocus.com/bid/22380 http://www.vupen.com/english/advisories/2007/0477 https://exchange.xforce.ibmcloud.com/vulnerabilities/32252