CVE-2001-1401

An attacker who is logged into Bugzilla can bypass viewing restrictions by manipulating the bug id parameter in the affected CGI scripts [ref_id=1]. For process_bug.cgi, the attacker saves a normal show_bug.cgi page, changes the form action to an absolute URL, modifies hidden form elements (delta_ts, longdesclength, and id) to point to a restricted bug, then submits the form [ref_id=1]. The script displays all comments on the restricted bug instead of denying access [ref_id=1]. Users with editbugs privileges see all comments immediately; others may be able to iterate over fields to obtain restricted bug settings [ref_id=1].

The vulnerability affects multiple CGI scripts that accept bug id parameters without verifying the user's viewing permissions: process_bug.cgi, show_activity.cgi, showvotes.cgi, showdependencytree.cgi, showdependencygraph.cgi, showattachment.cgi, and describecomponents.cgi [ref_id=1]. The core issue is in process_bug.cgi, which does not check whether the user is authorized to view the bug before processing modifications [ref_id=1].

The fix adds a permission check before processing bug modifications in process_bug.cgi [ref_id=1]. The patch introduces a routine that validates the user's groupset against the bug's groupset using the condition `($groupset & $::usergroupset) == $groupset` to ensure the user is authorized to view the bug [ref_id=1]. It also refines the regex for extracting bug IDs from form parameters to use `/^id_(\d+)/` for safer matching [ref_id=1]. The fix was checked in and marked as resolved for Bugzilla 2.14 [ref_id=1].

1. Find a restricted bug (e.g., bug 28698). 2. Save the current show_bug.cgi page. 3. Change the form action to an absolute URL on the saved page. 4. Modify hidden form elements to: `