Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* When a user creates a new account, Bugzilla doesn't correctly
  reject email addresses containing non-ASCII characters, which
  could be used to impersonate another user account.

* A CSRF vulnerability in the implementation of the JSON-RPC API
  could be used to make changes to bugs or execute some admin tasks
  without the victim's knowledge.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Account Impersonation
Versions:    2.0 to 3.4.13, 3.5.1 to 3.6.7, 3.7.1 to 4.0.3,
             4.1.1 to 4.2rc1
Fixed In:    3.4.14, 3.6.8, 4.0.4, 4.2rc2
Description: When a user creates a new account, Bugzilla doesn't
             correctly reject email addresses containing non-ASCII
             characters, which could be used to impersonate another
             user account. Such email addresses could look visually
             identical to other valid email addresses, and an attacker
             could try to confuse other users and be added to bugs he
             shouldn't have access to.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=714472
CVE Number:  CVE-2012-0448

Class:       Cross-Site Request Forgery
Versions:    3.5.1 to 3.6.7, 3.7.1 to 4.0.3, 4.1.1 to 4.2rc1
Fixed In:    3.6.8, 4.0.4, 4.2rc2
Description: Due to a lack of validation of the Content-Type header
             when making POST requests to jsonrpc.cgi, a possible
             CSRF vulnerability was discovered. If a user visits an
             HTML page with some malicious JS code in it, an attacker
             could make changes to a remote Bugzilla installation on
             behalf of the victim's account by using the JSON-RPC API.
             The user would have had to be already logged in to the
             target site for the vulnerability to work.

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=718319
CVE Number:  CVE-2012-0440

Vulnerability Solutions
=======================

The fixes for these issues are included in the 3.4.14, 3.6.8, 4.0.4,
and 4.2rc2 releases. Upgrading to a release with the relevant fixes will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Fr�d�ric Buclin
Max Kanat-Alexander
Byron Jones
Mario Gomes
James Kettle

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKHxTAAoJEJZXZhv5X1hqSIMP/RlIABceQbb3+iTFxv2Wi7Nx
ZnSE4GyrMWpUExyaWejcNgYmFP6g2IJ40qe4mpjT8MQa0Sg5Tw6y0iIO62pUyfmB
3I1CZBMtl3RmAaclV+O9SSXqg6DkFKbMMs+m3EBh2KInRpgms6n8BWDA7rNiVOgI
RY7R77v3spWZskjA6xV0EKKsNNJHVVga4Iv+sFKHFkhEDUD9+Ks3CErriuLu6h1s
qtLe3xkEHq763/Fcmcs9vJW1393bKKxwggb6bumHQ8z7jJYwDe0Av1Iw8X2+MyQ6
bnaRlw2mj1wgtord2hlagBeQmL0VVcU0Dftq/8aSC9A18xCoRqL3LbobHyltzq5q
DU47CqZqk1pQliYTQfFyu6v8/y8kHK/KlIVNjsF8vRejsetyNPOJ/zLJjbDHD/Vj
rGY3J8xd5ySZlBMqBOKeBJZ+Pulav38U3tK4Vn1VTpIy3MVeEfU7KVpm9mVNa4OF
G7aWfAITkeZFNH5suNj7OaofRcE3XXWiEuvyw4B141F4G+s/kFdSCpJNseSuwJY6
Y+9QMoCvsCSom7AuYDNY+e3AtjNY59eQecl0B7mesIelUPuFIyQdu8JaiX114E/8
7AosCZm+wd3ITtV7LJmgcO7NJM/6xyI0veS2v5tttb/C+hI9jTlUzHhlH3wOpBfT
2qA45xBbsKnFJbrwmnnw
=AWmk
-----END PGP SIGNATURE-----
0
ISO
1/31/2012 11:42:11 PM
mozilla.support.bugzilla 10103 articles. 0 followers. Post Follow

0 Replies
828 Views

Similar Articles

[PageSpeed] 30

Reply:

Similar Artilces:

Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When the user logs in using LDAP, the username is not escaped before being passed to LDAP which could potentially lead to LDAP injection. * Extensions are not protected against directory browsing by default and users can view the source code of templates used by the extensions. These templates may contain sensitive data. All affected installations ar...

[ANN] Release of Bugzilla 4.2rc2, 4.0.4, 3.6.8, and 3.4.14
Today we are announcing the second Release Candidate for Bugzilla 4.2, in addition to one new stable release and two security-only updates for the 3.4.x and 3.6.x series. Bugzilla 4.2rc2 is our second Release Candidate for Bugzilla 4.2. This release has received QA testing, and should be considerably more stable than the development releases before it. It is still not considered fully stable, and so you should understand that if you use it, you use it at your own risk. This will most likely be the last release candidate before 4.2 final. Bugzilla 4.0.4 is our latest stable r...

Security advisory for Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. * Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands. All affected installations are encouraged to upgrade as soon as possible. Vuln...

[ANN] Security Advisory for Bugzilla Versions Prior to 3.4.12, 3.6.6, 4.0.2, and 4.1.3
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * It is possible to determine whether or not certain group names exist while creating or updating bugs; and in Bugzilla 4.1.1 and 4.1.2, also by using custom se...

Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing tabular or graphical reports as well as new charts, an XSS vulnerability is possible in debug mode. * The User.offer_account_by_email WebService method lets you create a new user account even if the active authentication method forbids users to create an account. * A CSRF vulnerability in post_bug.cgi and in attachment.cgi could lead to ...

[ANN] Release of Bugzilla 4.3.3, 4.2.3, 4.0.8, and 3.6.11
Today we are releasing 4.2.3, 4.0.8, 3.6.11, and the unstable development snapshot 4.3.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.2.3 is our latest stable release. It contains various useful bug fixes and security fixes for the 4.2 branch. Bugzilla 4.0.8 and 3.6.11 are security updates for the 4.0 branch and the 3.6 branch, respectively. Both also contain one bug fix. Note that 4.3.3 is an unstable development release and should not be used in production envir...

Security advisory for Bugzilla 4.4rc1, 4.2.4, 4.0.9 and 3.6.12
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can l...

Security advisory for Bugzilla 4.3.2, 4.2.2, 4.0.7 and 3.6.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee. * The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug. Al...

[ANN] Release of Bugzilla 4.5.3, 4.4.3, 4.2.8, and 4.0.12
Today we are releasing 4.4.3, 4.2.8, 4.0.12, and the unstable development snapshot 4.5.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators to read the Security Advisory linked below. Bugzilla 4.4.3 is our latest stable release. It contains various useful bug fixes, performance improvements and security fixes for the 4.4 branch. Bugzilla 4.2.8 and 4.0.12 are security updates for the 4.2 branch and the 4.0 branches, respectively. 4.2.8 also contains several bug fixes. Note that 4.5.3 is an unstable development release a...

[ANN] Security Advisory for Bugzilla 3.4.1, 3.2.4, and 3.0.8
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. * Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. All affected installations are...

[ANN] Release of Bugzilla 4.1.3, 4.0.2, 3.6.6, and 3.4.12
Today we are releasing 4.0.2, 3.6.6, 3.4.12, and the unstable development snapshot 4.1.3. All of today's releases contain security fixes. We recommend all Bugzilla administrators read the Security Advisory linked below. 4.0.2 is our latest stable release, containing various useful bug fixes and performance improvements. 3.6.6 and 3.4.12 are security updates for those series. Note that 4.1.3 is an unstable development release and should not be used in production environments. We are feature-frozen at this point, however, so the features you see in 4.1.3 shoul...

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15
Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The 'realname' parameter is not correctly filtered on user account creation, which could lead to user data override. * Several places were found in the Bugzilla code where cross-site scripting attacks could be used to access sensitive information. * Private comments can be shown to flagmail recipients who aren't in the insider group * Specially formatted values in a CSV search results export c...

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15 #2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * The 'realname' parameter is not correctly filtered on user account creation, which could lead to user data override. * Several places were found in the Bugzilla code where cross-site scripting attacks could be used to access sensitive information. * Private comments can be shown to flagmail recipients who aren't in the insider group * Specially...

Security advisory for Bugzilla 4.4rc2, 4.2.5, 4.0.10 and 3.6.13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue....

Web resources about - Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14 - mozilla.support.bugzilla

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Steam tightens trading security amid 77,000 monthly account hijackings
(credit: Aurich Lawson) Account theft is a common and longstanding problem for all kinds of online gaming services, as I can personally attest ...

Cisco Looks to Acquisitions in Security, Says UBS
Cisco Systems ( CSCO ) will be looking to buy other companies to fill in its security portfolio as it attempts to boost growth, writes UBS ’s ...

Data security is key for customer retention
... victim of a breach during the holiday season. Only a quarter (25 percent) of all respondents feel that companies take the protection and security ...

Homeland Security gets involved in search for missing Afghans
Afghan men disappeared while training with U.S. military at south Georgia base

77,000 Steam accounts hacked every month, new security measures Deployed
"We're fully aware that this is a tradeoff with the potential for a large impact on trading."

And now, a security drone that chases intruders
Security guards in Japan have a new tool to deter intruders: a drone that will chase down and follow people without human intervention. Made ...

Resources last updated: 12/11/2015 7:22:57 PM