VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 12, 2002· Updated Jun 16, 2026

CVE-2002-0805

CVE-2002-0805

Description

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • Mozilla Corporation/Bugzilla5 versions
    cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:rc1:*:*:*:*:*:*
    • (no CPE)range: <2.14.2 for 2.14, <2.16rc2 for 2.16

Patches

Vulnerability mechanics

Root cause

"The `WriteParams` function in `defparams.pl` creates the `data` directory and the `params` file with world-writable permissions, allowing local users to overwrite the file with arbitrary code."

Attack vector

A local user who knows the path to the `params` file can overwrite it with arbitrary Perl code, because the file is world-writable. If the `data` directory does not exist, `WriteParams` creates it with world-writable permissions, allowing any local user to place files there. An attacker can inject code such as `if ($::userid = 12345) { $::usergroupset = whatever; }` to escalate privileges or execute arbitrary commands on the Bugzilla server.

Affected code

The bug is in `defparams.pl`'s `WriteParams` function, which creates the `data` directory and the `params` file with world-writable permissions. The same insecure `chmod` calls appear in `globals.pl`, `importxml.pl`, and `move.pl`.

What the fix does

The patch removes the insecure `mkdir`/`chmod` calls from `defparams.pl` and related scripts, and instead relies on `checksetup.pl` to set proper permissions. It also adds `die` statements with the file name and error message when lock files cannot be opened, preventing silent failures. The fix ensures that the `data` directory and `params` file are not created with world-writable permissions, closing the local privilege escalation vector.

Preconditions

  • authThe attacker must have local shell access to the Bugzilla server.
  • configThe `data` directory must not exist (for the directory creation vector) or the attacker must know the path to the `params` file.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.