CVE-2009-0486

Sažetak

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.

Reference

http://secunia.com/advisories/34361
http://www.bugzilla.org/security/3.0.7/
http://www.securityfocus.com/bid/33581
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

25-03-2009 - 05:50

Objavljeno

09-02-2009 - 17:30