CVE-2001-0330 in Bugzilla
Summary
by MITRE
bugzilla 2.10 allows remote attackers to access sensitive information including the database username and password via an http request for the globals.pl file which is normally returned by the web server without being executed.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability identified as CVE-2001-0330 represents a critical information disclosure flaw in Bugzilla version 2.10 that exposes sensitive database credentials to remote attackers. This vulnerability stems from improper handling of web server requests where the globals.pl file, which contains database connection parameters including username and password, is being served directly by the web server without proper execution or access control mechanisms. The flaw occurs because the web server configuration fails to properly process this file, allowing unauthorized users to retrieve database authentication credentials through simple http requests.
This vulnerability directly maps to CWE-200, which describes the exposure of sensitive information to an unauthorized actor, and falls under the broader category of insecure configuration issues. The technical implementation flaw lies in the web server's file handling mechanism where perl scripts intended to be executed server-side are instead being served as static content. This misconfiguration creates a path for attackers to bypass normal application security controls and directly access system configuration files that should remain protected. The vulnerability is particularly dangerous because it requires no authentication or specialized tools to exploit, making it highly accessible to malicious actors.
The operational impact of this vulnerability is severe as it provides attackers with direct access to database credentials, enabling them to establish unauthorized database connections and potentially compromise the entire backend infrastructure. Attackers can leverage this information to perform data exfiltration, modify database contents, escalate privileges, or use the credentials for lateral movement within the network. The vulnerability affects the confidentiality and integrity of the system, as database authentication information is exposed to anyone who can make http requests to the affected server. This creates a significant risk for organizations relying on Bugzilla for bug tracking and development management, as the exposure of database credentials can lead to complete system compromise.
Mitigation strategies should focus on proper web server configuration to ensure that perl scripts and other sensitive files are not directly accessible through http requests. Organizations should implement proper file access controls, configure the web server to properly execute perl scripts rather than serving them as static content, and restrict access to sensitive configuration files through appropriate directory permissions and .htaccess rules. The vulnerability also highlights the importance of regular security audits and proper input validation. According to ATT&CK framework, this vulnerability relates to T1566 - Phishing and T1071.1 - Application Layer Protocol: Web Protocols, as it involves exploitation of web server misconfigurations to obtain sensitive information. System administrators should also implement network monitoring to detect unauthorized access attempts and ensure that all web applications are properly configured to prevent such information disclosure scenarios.