Search FogBugz

EnglishPortuguese

Security Bulletin: FogBugz Simultaneous Login Vulnerability

Impact of Vulnerability:

Under rare circumstances if two users log onto FogBugz at the exact same time, one of them will assume the identity of the other.

Affected Software:

Licensed Versions of FogBugz 3.0 and 4.0 prior to 4.0.39.
Licensed Versions of FogBugz 5 prior to 5.0.25.
Licensed Versions of FogBugz 6 prior to 6.0.31
All platforms (Windows, Unix, Macintosh) are affected.

Not Affected:

FogBugz On Demand

Recommendation:

All users of FogBugz should install this upgrade.

Details:

Under extremely rare circumstances, when two users log on to FogBugz at the same time, one of the users will assume the identity of the other and will be logged on as that user.

This may allow users to see and edit things inside FogBugz which they don't have permission to see.

For example, if Alice and Bob log on at the same time, there is a small chance that Bob will find himself logged on as Alice with all her permissions and settings.

Mitigating Factors:

An attacker would first need to gain access to your FogBugz website to exploit this vulnerability, and would need their own FogBugz account.

Upgrading

If you are using FogBugz 3.x or 4.x, please upgrade to FogBugz 4.0.39.

If you are using FogBugz 5.x, please upgrade to FogBugz 5.0.25.

All customers of FogBugz 3.0 (or later) are entitled to this upgrade free of charge.

To download the upgrade, log on to https://shop.fogcreek.com/fogbugz/status.asp with the email address and order ID number you used to purchase FogBugz. For help, contact Fog Creek Customer Service.