Test ID:	1.3.6.1.4.1.25623.1.0.55704
Category:	Conectiva Local Security Checks
Title:	Conectiva Security Advisory CLSA-2005:1040
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory CLSA-2005:1040. This announcement fixes three vulnerabilities in Bugzilla: Cross-site scripting It is possible to send a carefully crafted URL to Bugzilla designed to trigger an error message. The Internal Error message includes javascript code which displays the URL the user is visiting. The javascript code does not escape the URL before displaying it, allowing scripts contained in the URL to be executed by the browser. Information leak If a user correctly guesses the name of a product that should be invisible to them, they will be specifically informed that they do not have access to it, thus letting them know that the product exists. Also, users can enter bugs into products that are closed for bug entry, if they correctly guess the name of the product. User Password Embedded in URL The user's password can be embedded as part of a report URL and thus visible in the web server logs, if the user is prompted to log in while attempting to view a chart. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=001040 http://www.bugzilla.org http://www.bugzilla.org/security/2.16.7-nr/ http://www.bugzilla.org/security/2.16.8/ Risk factor : High
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.