Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2

Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers six security issues that have recently been 
fixed in the Bugzilla code:

+ Sometimes the information put into the <h1> and <h2> tags in Bugzilla
  was not properly escaped, leading to a possible XSS vulnerability.

+ Bugzilla administrators were allowed to put raw, unfiltered HTML into
  many fields in Bugzilla, leading to a possible XSS vulnerability. 
  Now, the HTML allowed in those fields is limited.

+ attachment.cgi could leak the names of private attachments

+ The "deadline" field was visible in the XML format of a bug, even to
  users who were not a member of the "timetrackinggroup."

+ A malicious user could pass a URL to an admin, and make the admin
  delete or change something that he had not intended to delete or 
  change.

+ It is possible to inject arbitrary HTML into the showdependencygraph.cgi
  page, allowing for a cross-site scripting attack.

We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users
should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below,
should upgrade to 2.22.1.

Development snapshots of 2.23 before 2.23.3 are also vulnerable to all
of these issues. If you are using a development snapshot, you should
upgrade to 2.23.3, use CVS to update, or apply the patches from the 
specific bugs listed below.

Vulnerability Details
=====================

Issue 1
-------
Class:       Cross-Site Scripting
Versions:    2.15 and above
Description: Bugzilla sometimes displays admin-provided data in page 
             headers (meaning the <h1> and <h2> HTML tags of a page).
             Sometimes, this data was not properly escaped, leading to 
             the possibility of a Cross-Site Scripting vulnerability.
             For the most part, this was only exploitable by 
             administrators, and so is not of critical severity.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=330555

Issue 2
-------
Class:       Cross-Site Scripting
Versions:    2.0 and above
Description: Bugzilla allows administrators to put HTML in the
             descriptions of products, components, and other items. It
             also allows HTML in certain other fields. Before the
             most recent releases of Bugzilla, this HTML was completely
             unfiltered. These fields are only editable by
             certain users, who are specified by the admin. This makes
             this vulnerability less severe. However, these users could
             use this exploit to perform Cross-Site Scripting attacks
             on nearly all users of a particular Bugzilla (including
             users with higher permission levels than themselves).

             Bugzilla now allows only certain HTML tags in those fields,
             protecting users from a Cross-Site Scripting attack.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=206037

Issue 3
-------
Class:       Information Leak
Versions:    2.17 and above
Description: When viewing an attachment in "Diff" mode, a user who is
             not in the "insidergroup" (the group required to view
             private attachments) can read the one-line descriptions
             of all attachments, even "private" attachments.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=346086

Issue 4
-------
Class:       Information Leak
Versions:    2.19.2 and above
Description: Bugzilla has a "deadline" field, which is usually only
             visible to people in the "timetrackinggroup" group.
             However, it was exposed in the XML format of a bug to all
             users.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=346564

Issue 5
-------
Class:       Security Enhancement
Versions:    2.0 and above
Description: Bugzilla updates, deletes, and creates data through a
             web interface. Administrators update things like user
             accounts through this interface. All of these pages accept
             URL variables in both GET and POST formats.

             A malicious user could craft a URL that would edit a user
             (or any other admin-protected item), and then using a
             service like TinyURL, could obscure the URL so that an
             administrator couldn't tell what it was. Then, getting the
             administrator to click on that URL, the action would be
             performed, against the administrator's will.

             This is now prevented. Bugzilla will only accept changes
             on administrative pages if they come from Bugzilla's own
             forms. That is, you have to use the form to make changes--
             you now cannot just click a URL and accidentally make an
             administrative change to Bugzilla.

             Although technically this affects all versions of Bugzilla,
             it has only been fixed on our most recent release (2.22.1
             and our latest development snapshot, 2.23.3), because the
             fix was too invasive to backport further. Administrators
             of previous versions of Bugzilla should only click on URLs
             from users that they fully trust.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=281181

Issue 6
-------
Class:       Cross-Site Scripting
Versions:    2.15 and above
Description: showdependencygraph.cgi is a script that allows you to display
             a graph of how bugs are related. There is a cross-site
             scripting vulnerability in this script that allows for arbitrary
             HTML injection. The user would have to follow a malicious URL
             in order to trigger the attack--it is not possible for another
             user to otherwise inject HTML into the page for the current
             user.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=355728


Vulnerability Solutions
=======================

The fixes for all of the security bugs mentioned in this advisory
are included in the 2.18.6, 2.20.3, 2.22.1, and 2.23.3 releases. 
Upgrading to these releases will protect installations from possible
exploits of these issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download.html

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Frédéric Buclin*
Dave Miller
Gervase Markham
Gavin Shelley
Max Kanat-Alexander
Myk Melez
Josh "timeless" Soref
Olav Vitters
Adam Merrifield

* The Bugzilla Project would like to express special thanks to 
  Frédéric. He worked many, many volunteer hours to fix many of the
  issues above, and is largely responsible for most of these issues
  being fixed. They would not have been fixed without him.

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list. 
http://www.bugzilla.org/support/ has directions for accessing these 
forums.

-Max Kanat-Alexander
Release Manager, Bugzilla Project

0
Max
10/15/2006 10:04:49 AM
mozilla.support.bugzilla 10120 articles. 0 followers. Post Follow

0 Replies
4740 Views

Similar Articles

[PageSpeed] 43

Reply:

Similar Artilces:

Release of Bugzilla 2.18.6, 2.20.3, 2.22.1, and 2.23.3
We have many releases for you, today! Bugzilla 2.18.6 and 2.20.3 are security-fix releases for our older branches. Bugzilla 2.22.1 is our first bugfix release in the 2.22 series, and contains many useful fixes that improve the experience of using Bugzilla. Finally, we are releasing an unstable development snapshot, Bugzilla 2.23.3. This snapshot has both custom fields and mod_perl support, but has not been tested as thoroughly as our other releases. The 2.23 series will eventually culminate in Bugzilla 3.0. Users of the 2.18.x series should note that 2.18.x will r...

Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security bugs that have recently been discovered and fixed in the Bugzilla code: + In all versions of Bugzilla since at least 2.16, it is possible to guess the name of a hidden product and have Bugzilla confirm that you were correct. + In Bugzilla 2.18 and above, a user's username and password are sometimes exposed in the URL after generating a Report. All Bugzilla installations are advised to upgrade to the latest stable version of Bu...

[ANN] Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3
Summary =3D=3D=3D=3D=3D=3D=3D Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + A possible cross-site scripting (XSS) vulnerability in Atom feeds produced by Bugzilla. + Web server settings given by Bugzilla which provide security settings to protect data files from access via the web are overridden by the mod_perl startup script when running under mod_perl (development snapshot only). We strongly advise that 2.20.x users should up...

[ANN] Release of Bugzilla 2.22 (also 2.20.2 and 2.23.1)
The Bugzilla Project is proud to announce the official release of Bugzilla 2.22. Bugzilla 2.22 is a major new feature release for Bugzilla, containing a large number of bug fixes and enhancements, including complete PostgreSQL support, UTF-8 support, user-impersonation capabilities, and more. You can see a description of all the new features in Bugzilla 2.22 at: http://www.bugzilla.org/releases/2.22/new-features.html The Bugzilla Project is also releasing 2.20.2, a bug-fix release for the 2.20 branch recommended for all 2.20 branch users. We also have a development snapshot, B...

[ANN] Release of Bugzilla 2.20.4, 2.22.2, and 2.23.4
--Sig_kEOxU8nT+82tg4POD=3FoiU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Three Bugzilla releases today! They're mostly security-fix and=20 bug-fix updates. Bugzilla 2.22.2 is a bug-fix and security-fix release for the Bugzilla 2.22 series. Bugzilla 2.20.4 is a security-fix release for the Bugzilla 2.20 series. Bugzilla 2.23.4 is our unstable development release. However, it should be considerably more stable than 2.23.3, since it is currently running on https://bugzilla.mozilla.org/ and has received some "live tes...

Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers three security bugs that have recently been discovered and fixed in the Bugzilla code: + The 'whinedays' and 'mostfreqthreshold' parameters are not correctly validated in editparams.cgi. The first one can lead to SQL injection. + Escaped HTML markup in titles of RSS feeds are incorrectly decoded by some RSS readers and could potentially lead to XSS vulnerabilities. + The login form on the home page, in conjuction with very specif...

[ANN] Release of Bugzilla 2.22rc1, 2.20.1, 2.18.5, and 2.16.11
--=-HOpODjFBUjnJ+UwFjBa4 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable The Bugzilla Project is proud to announce our first Release Candidate for Bugzilla 2.22. Bugzilla 2.22 will be a major new feature release=20 for Bugzilla, containing a large number of bug fixes and enhancements, including complete PostgreSQL support, UTF-8 support, user-impersonation capabilities, and more. You can see a description of all the new features in Bugzilla 2.22 at: http://www.bugzilla.org/releases/2.22/new-features.html We are also releasing our first bug-fix release ...

Has anyone gone from 2.16.2 to 2.18.2 and then 2.22?
We have been able to go from 2.16.2 to 2.18.2 but now we need to get on 2.22. Does anyone have any tips we should keep in mind as we do this. BTW our MySQL is 4.1 Thanks, David Go for it. As long as you haven't customized Bugzilla, there shouldn't be any issues. Keep in mind, however, that as a general rule, I am a pessimist about software changes, no matter who wrote the software, especially if it's M$: "Blessed is the pessimist for he'th made backups." :) --- Kevin Benton Perl/Bugzilla Developer/Administrator, Perforce SCM Administrator ...

Updating Bugzilla 2.22 to 2.22.2
I don't have a lot of time left to repair my Bugzilla installation beacuse people have to use it. I already made a post about my error - I don't think I will be able to solve it in time so I decided to upgrade Bugzilla. Can anyone tell me why I lose my system parameters when upgrading Bugzilla? I've put the new files (2.22.2) in the docroot /path/to/wwwroot and ran checksetup.pl. Everything looked just fine, I was able to login and all the users / other entries were there. But the system configuration seems to be lost (bug maintainer, urlbase, .....). Is it not saved in ...

Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security bugs that have recently been discovered and fixed in the Bugzilla code: + config.cgi exposes information to users who aren't logged in, even when "requirelogin" is turned on in Bugzilla. + It is possible to bypass the "user visibility groups" restrictions if user-matching is turned on in "substring" mode. All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2...

upgrading from 2.16.2 to 2.20.2
Hi, I have Bugzilla 2.16.2 installed on RedHat 9, which is working fine. I want to upgrade to 2.20.2. I am using the tarball method mentioned in the bugzilla upgrade guide. bash$ tar xvf bugzilla-STABLE.tar bash$ cd bugzilla-2.20 bash$ cp ../bugzilla/localconfig* . bash$ cp -r ../bugzilla/data . bash$ cd .. bash$ mv bugzilla bugzilla.old bash$ mv bugzilla-2.20 bugzilla after this I tryed to run ./checksetup.pl. at last it gives the following error ---------------------------------- If you want to see pretty HTML views of patches, you sho...

[ANN] Bugzilla 2.18 Released (and 2.16.8, 2.19.2)
After over two years of hard work from an international team of volunteers led by Dave Miller, we are proud to announce the release of Bugzilla 2.18. Bugzilla 2.18 is our best release to date. It is a major improvement over Bugzilla 2.16, containing over 1000 bug fixes and enhancements. See the link to the Release Notes below for details on all the enhancements. All Bugzilla administrators are encouraged to upgrade to it as soon as is convenient. If you run a Bugzilla installation, please let us know by emailing gerv@mozilla.org! We will put a link to your installation (or...

4.2.2.2
Occasionally I will get an alert from ZAF announcing "The firewall has blocked local network access to 4.2.2.2 (DNS) from your computer." The explanation says that ZA has blocked access to Port 53 on a DNS server. Why would ZA block this? As far as I know, it has never requested permission to access this server and I have never denied such permission. I use a Netgear router, and in order to make it work with my system, I was instructed to configure the DNS Configuration of the TCP/IP Properties of my network card and add 4.2.2.2 as one of my DNS Servers. Thanks for you...

SeaMonkey 2.2 #2
I have just re-installed 2.0.14 and it works a treat. Don't mess with wot ain't broke. D. ...

Web resources about - Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Larwyn's Linx: Team Rubio’s Pathetic National Security Attack on Cruz
Send us tips ! Bloggers: install a Larwyn's Linx widget . Get real-time news, 24/7, at BadBlue . Nation Team Rubio’s Pathetic National Security ...

A $2.25 billion fintech startup almost used horoscopes for security
Swedish payments startup Klarna once considered a novel approach to dealing with fraud: Asking "high-risk" customers to enter their horoscopes. ...

What you need to know about Dell's root certificate security debacle
... communications to potential spying. Even more surprising is that the company did this while being fully aware of a very similar security blunder ...

Some Dell Laptops Shipping With Big Security Flaw Pre-Installed
... thousands and plenty of home consumers use them too. And unfortunately, that means there are millions of laptops out there with a big fat security ...

KORWIN: A Well-Regulated Militia IS NEEDED For The Security Of A Free State
Each and every citizen has an obligation to protect themselves from those that would cause them harm

Security system watches over your home without cameras
You don't have many great choices for home security systems right now. Conventional systems are expensive and effectively fixed in place, while ...

Resources last updated: 11/25/2015 3:20:07 PM