Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* When viewing tabular or graphical reports as well as new charts,
  an XSS vulnerability is possible in debug mode.

* The User.offer_account_by_email WebService method lets you create
  a new user account even if the active authentication method forbids
  users to create an account.

* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
  lead to the creation of unwanted bug reports and attachments.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross-Site Scripting
Versions:    2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
             4.1.1 to 4.1.3
Fixed In:    3.4.13, 3.6.7, 4.0.3, 4.2rc1
Description: Tabular and graphical reports, as well as new charts have
             a debug mode which displays raw data as plain text. This
             text is not correctly escaped and a crafted URL could
             use this vulnerability to inject code leading to XSS.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=697699
CVE Number:  CVE-2011-3657

Class:       Unauthorized Account Creation
Versions:    2.23.3 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
             4.1.1 to 4.1.3
Fixed In:    3.4.13, 3.6.7, 4.0.3, 4.2rc1
Description: The User.offer_account_by_email WebService method ignores
             the user_can_create_account setting of the authentication
             method and generates an email with a token in it which the
             user can use to create an account. Depending on the
             authentication method being active, this could allow the
             user to log in using this account.
             Installations where the createemailregexp parameter is
             empty are not vulnerable to this issue.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=711714
CVE Number:  CVE-2011-3667

Class:       Cross-Site Request Forgery
Versions:    2.0 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
             4.1.1 to 4.1.3
Fixed In:    4.2rc1
Description: The creation of bug reports and of attachments is not
             protected by a token and so they can be created without
             the consent of a user if the relevant code is embedded
             in an HTML page and the user visits this page. This
             behavior was intentional to let third-party applications
             submit new bug reports and attachments easily. But as this
             behavior can be abused by a malicious user, it has been
             decided to block submissions with no valid token starting
             from version 4.2rc1. Older branches are not patched to not
             break these third-party applications after the upgrade.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=703975
             https://bugzilla.mozilla.org/show_bug.cgi?id=703983
CVE Number:  none

Vulnerability Solutions
=======================

The fixes for these issues are included in the 3.4.13, 3.6.7, 4.0.3,
and 4.2rc1 releases. Upgrading to a release with the relevant fixes will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Byron Jones
Fr�d�ric Buclin
Gervase Markham
David Lawrence
RedTeam Pentesting
Reed Loden
Max Kanat-Alexander
Mario Gomes

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO/JfGAAoJEJZXZhv5X1hq7AMP/2RlnvdeguC6HdpyfylBSKaI
xcA6i221E2ilS9ABlKfVKWtMH877+wrLdmpmlG1486gOtYGs/jSMvPLvtBqy6guC
x61cd/rh1RzKA4kXDMkr3Hi0L6iyqiH9hp11257Qata1oOGqoMibhgQ2un3POyk5
DAWTTZpXuoMbukc22DkW1sgYUSfZCUiDOkkjViJqWcTPRWgowIwJOWTLuRGhpsVc
cm8MaVRwK32we4ehqc1oT/3JkuodFPX0H7iyxiTxZTjG6OGullT0SSJSXcOAerNO
et9OWRmm2HE5DLczPtb44V/21jVFLpybxyewRA5g8wN60Rcv9KE8Oz0lyJHXdN2W
PbwSMcESkwXs00RzRpdlkWkSGQFem9Fy3US+2g0FxCJ0ifoDk3vQX7YYeH40pyBj
wxOTvJw5nrMZHkxG90RULmQwBHqzRyFfZkOQ9T4q3lEDCXCuDEkjDNa9GoKBLFBg
Occ//WREBj2p+kTmSmbUd56s4oNodg177BFI3GUymywH9JWPkIWt829kkQEsW/A/
R//4rsNVf/ZFMrIuN6bkPaVC1cTpwd39W9Dv9xmMjv3Gwkkqn6sQtBFEz0IGA5FH
VEhMIO27lkRqWT/FOKzU80N+DdcTomNvBfoqgBOeFLSo4Ul2lZ+ZrdE+6LheY6i0
WZmikFV1zWtbk2Nzy/B/
=/+XO
-----END PGP SIGNATURE-----
0
ISO
12/29/2011 4:39:35 PM
mozilla.support.bugzilla 10082 articles. 0 followers. Post Follow

0 Replies
848 Views

Similar Articles

[PageSpeed] 32

Reply:

Similar Artilces:

[ANN] Release of Bugzilla 4.2rc1, 4.0.3, 3.6.7, and 3.4.13
Today we are announcing the first Release Candidate for Bugzilla 4.2, in addition to one new stable release and two security-only updates for the 3.4.x and 3.6.x series. Bugzilla 4.2rc1 is our first Release Candidate for Bugzilla 4.2. This release has received QA testing, and should be considerably more stable than the development releases before it. It is still not considered fully stable, and so you should understand that if you use it, you use it at your own risk. In particular, certain aspects of the WebServices have not yet been tested as part of this Release Candidate, s...

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom se...

Security advisory for Bugzilla 4.3.2, 4.2.2, 4.0.7 and 3.6.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee. * The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug. Al...

Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. * A CSRF vulnerability in the implementation of the JSON-RPC API could be used to make changes to bugs or execute some admin tasks without the victim's knowledge. All af...

Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. * Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands. All affected installations are encouraged to upgrade as soon as possible. Vuln...

[ANN] Security Advisory for Bugzilla 3.2.6, 3.4.6, 3.6, and 3.7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Everybody could search for time-tracking information, not just members of the timetrackinggroup. * Under suexec, "localconfig" was world-readable, meaning that local users with shell access to the Bugzilla server may have been able to see the database password and the site_wide_secret. All affected installations are encouraged to upgrade as so...

[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11
Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable development snapshot 4.3.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.2.3 is our latest stable release. It contains various useful bug fixes and security fixes for the 4.2 branch. Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0 branch and the 3.6 branch, respectively. Both also contain one bug fix. Note that 4.3.3 is an unstable development release and should not be used in production envir...

[ANN] Security Advisory for Bugzilla 3.2.7, 3.4.7, 3.6.1, and 3.7.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * It was possible to (at least partially) determine the membership of any group using the Search interface. * It was possible to use the 'sudo' feature without sending a notification to the user being impersonated. * The 'Reports' and 'Duplicates' pages let you guess the name of products you could not see, due to the error message ...

[ANN] Security Advisory for Bugzilla 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were discovered: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. * A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages...

[ANN] Release of Bugzilla 4.1.3, 4.0.2, 3.6.6, and 3.4.12
Today we are releasing 4.0.2, 3.6.6, 3.4.12, and the unstable development snapshot 4.1.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators read the Security Advisory linked below. 4.0.2 is our latest stable release, containing various useful bug fixes and performance improvements. 3.6.6 and 3.4.12 are security updates for those series. Note that 4.1.3 is an unstable development release and should not be used in production environments. We are feature-frozen at this point, however, so the features you see in 4.1.3 shoul...

[ANN] Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. All...

[ANN] Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. * It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. * YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contain...

Security advisory for Bugzilla 4.4rc2, 4.2.5, 4.0.10 and 3.6.13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue....

Web resources about - Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

SMBs Can Potentially Compromising Enterprise IT Security: Cisco Report
Lifehacker Australia SMBs Can Potentially Compromising Enterprise IT Security: Cisco Report Lifehacker Australia Enterprise organisations ...

South Korea toughens aviation security law after Korean Airlines heiress Cho Hyun-ah’s ‘nut rage’ tantrum ...
SOUTH Korea has toughened its aviation security law in the aftermath of the notorious “nut rage” incident involving a top airline executive. ...

Businesses need to place higher priority on cyber security
... are confident in their ability to fend off today’s sophisticated cyber attacks. This is one of the key findings from Cisco’s 2016 Annual Security ...

Amazon’s 13 best deals of the day include a cheap 4K TV and a wireless security system
... you want and the great products you need. Today's batch of Amazon's best deals includes a 4K Ultra HD TV for under $350, a great wireless security ...

Tech's big security problem: 'We're building 500mph cars with breaks that can cope with 30mph'
... technology like artificial intelligence and robotics that look set to transform the world. But one of the world's most prominent cyber security ...

Advocacy group wants healthcare industry to adopt medical device security principles
Advocacy group I Am the Cavalry is urging organizations that manufacture and distribute medical devices to adopt a cybersecurity version of the ...

Resources last updated: 1/21/2016 9:47:05 AM