VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 12, 2002· Updated Jun 16, 2026

CVE-2002-0804

CVE-2002-0804

Description

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Mozilla Corporation/Bugzilla4 versions
    cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:rc1:*:*:*:*:*:*

Patches

Vulnerability mechanics

Root cause

"Storing reverse-DNS-resolved hostnames instead of raw IP addresses in the logincookies table allows an attacker who controls reverse DNS for their IP to bypass IP-based authentication checks."

Attack vector

An attacker who controls reverse DNS for their IP address can set the hostname to match the hostname of a victim user. When Bugzilla performs IP checks against the `logincookies` table, it compares the attacker's spoofed hostname instead of the actual IP address, allowing the attacker to impersonate the victim and bypass IP-based access restrictions [ref_id=1]. This attack only works if the web server has reverse DNS lookups enabled (disabled by default in Apache).

Affected code

The `logincookies` table stored a `hostname` field populated from the web server's `REMOTE_HOST` environment variable, which is obtained via reverse DNS lookup. The fix changes this field to store the IP address (`ipaddr`) instead of the hostname, and invalidates all existing logincookie entries during upgrade to prevent spoofed hostnames from being accepted.

What the fix does

The patch changes the `logincookies` table to store the client's IP address (`ipaddr`) instead of the reverse-DNS-resolved hostname. This eliminates the attack vector because the IP address is obtained directly from the TCP connection (`REMOTE_ADDR`) and cannot be spoofed by the attacker's DNS configuration. All existing logincookie entries are deleted during upgrade to ensure no stale hostname-based entries remain valid [ref_id=1].

Preconditions

  • configBugzilla must be configured to perform reverse DNS lookups (HostnameLookups enabled in Apache)
  • networkAttacker must control reverse DNS for their IP address to return a spoofed hostname
  • inputAttacker must obtain or guess a valid login cookie for the victim user

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.