VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 12, 2002· Updated Jun 16, 2026

CVE-2002-0811

CVE-2002-0811

Description

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • Mozilla Corporation/Bugzilla5 versions
    cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.16:rc1:*:*:*:*:*:*
    • (no CPE)range: <2.14.2, <2.16rc2

Patches

Vulnerability mechanics

Root cause

"Missing input validation on the `order` parameter in `buglist.cgi` allows arbitrary SQL to be injected into the ORDER BY clause."

Attack vector

An attacker sends a crafted HTTP request to `buglist.cgi` with a malicious `order` parameter containing SQL injection payloads (e.g., UNION subqueries in MySQL 4). The parameter is inserted directly into the SQL ORDER BY clause without sanitization, allowing the attacker to execute arbitrary SQL or cause a denial of service. The advisory notes that MySQL 4's UNION support makes this exploitable for data extraction, while PostgreSQL's syntax limits it to sorting manipulation [ref_id=1].

Affected code

The vulnerability is in `buglist.cgi`, where the `order` parameter is passed directly into SQL queries without validation. The fix adds a validation loop that checks each sort column fragment against a strict identifier regex (`[A-Za-z_][0-9A-Za-z_]*\.[A-Za-z_][0-9A-Za-z_]*`) and rejects invalid column names with an error message [ref_id=1].

What the fix does

The patch adds a validation loop in `buglist.cgi` that splits the `order` parameter on commas/whitespace and checks each fragment against a strict identifier regex (`[A-Za-z_][0-9A-Za-z_]*\.[A-Za-z_][0-9A-Za-z_]*`). Fragments that do not match (e.g., containing SQL keywords, spaces, or subqueries) cause an error message and exit, preventing injection. The fix also clears the `LASTORDER` cookie if it contains an invalid sort order [ref_id=1].

Preconditions

  • networkThe attacker must be able to send HTTP requests to a Bugzilla instance running a vulnerable version (2.14 before 2.14.2, or 2.16 before 2.16rc2).
  • authNo authentication is required; the `order` parameter is accepted from unauthenticated users.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.