Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Bugzilla Has Several Bugs, Permitting Privilege Escalation, SQL Injection, and Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010681 |
|
SecurityTracker URL: http://securitytracker.com/id/1010681
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 13 2004
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): Prior to 2.16.6; Development snapshots prior to 2.18rc1
|
Description:
Several vulnerabilities were reported in Bugzilla. A remote authenticated privileged user can inject SQL commands or assign membership to other groups. A remote user may be able to see the names of "hidden" products. A remote user can conduct cross-site scripting attacks and may be able to view the database password in certain cases.
The vendor reported the vulnerabilities.
It is reported that if the SQL server is halted but the web server is still running, a remote user can access 'index.cgi' (and possibly other scripts) to view an error message that includes the database password. Versions 2.17.1 through 2.17.7 are affected. Additional information is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=227191
It is also reported that a remote authenticated user with privileges to grant membership to one or more individual groups can grant membership for other groups (that the user does not have privileges for). Versions 2.17.1 through 2.17.7 are affected. More information is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=233486
It is also reported that a remote user can determine names of "hidden products" using 'duplicates.cgi' and 'buglist.cgi'. Versions prior to 2.16.6 and 2.18rc1 are affected. More information is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=234825
http://bugzilla.mozilla.org/show_bug.cgi?id=234855
It is also reported that several administrative CGI scripts, including 'editmilestones.cgi', do not properly filter HTML code from user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Bugzilla software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Versions prior to 2.16.6 and 2.18rc1 are affected. Additional information is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=235265
The report also indicates that if a remote user is prompted to login when attempting to view a chart, the remote authenticated user's password may be included in an image URL and, as a result, visible in the web server log files. Versions 2.17.5 through 2.17.7 are affected. The bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=235510
Finally, it is reported that a remote authenticated user with privileges to grant membership to a group can supply a specially crafted input to 'editusers.cgi' to execute arbitrary SQL commands on the target system. Additional information is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=244272
|
Impact:
A remote user may be able to view the database password.
A remote authenticated user with privileges to grant group membership can grant membership for other groups or can inject SQL commands to be executed by the underlying database.
A remote user can determine names of products that are hidden to that user.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Bugzilla software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote authenticated user's password may be written to the web server logs in certain cases.
|
Solution:
The vendor has released fixed versions (2.16.6 and 2.18rc1), available at:
http://www.bugzilla.org/download.html
|
Vendor URL: www.bugzilla.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 10 Jul 2004 19:23:04 -0400
Subject: [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bugzilla Security Advisory
July 10, 2004
Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers security bugs that have recently been discovered
and fixed in the Bugzilla code: In the stable 2.16 releases, one instance
of arbitrary SQL injection exploitable only by a privileged user, several
instances of insufficient data validation and/or escaping, and two
instances of unprivileged access to names of restricted products. We know
of no occasion where any of these vulnerabilities have been exploited.
All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.6, which was released today.
Development snapshots prior to version 2.18rc1 are also affected, so if
you are using a development snapshot, you should obtain a newer one
(2.18rc1) or use CVS to update.
Vulnerability Details
=====================
Issue 1
- -------
Class: Database Password Compromise
Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: If the SQL server is halted but the webserver is left running,
~ older versions of DBI display an error message to the remote
~ user which contains the database password. While a properly-
~ configured database would still only be accessible by a local
~ user using that password, all installations are advised to
~ change the password after upgrading.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227191
Issue 2
- -------
Class: Privilege escalation
Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: A user with privileges to grant membership to one or more
~ individual groups (i.e. usually an administrator) can
~ trick the administrative controls into granting membership
~ in groups other than the ones he has privileges for.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=233486
Issue 3
- -------
Class: Information Leak
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: If Bugzilla is configured to hide entire products from some
~ users, both duplicates.cgi and the form for mass-editing a
~ list of bugs in buglist.cgi can disclose the names of those
~ hidden products to such users.
References: http://bugzilla.mozilla.org/show_bug.cgi?id=234825
~ http://bugzilla.mozilla.org/show_bug.cgi?id=234855
Issue 4
- -------
Class: Cross-site scripting vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: Several administration CGIs echo invalid data back to the
~ user without escaping it.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235265
Issue 5
- -------
Class: User Password embedded in URL
Versions: 2.17.5 through 2.17.7 (2.16-based releases are not affected)
Description: The user's password can be embedded as part of an image URL,
~ and thus visible in the web server logs, if the user is
~ prompted to log in while attempting to view a chart.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235510
Issue 6
- -------
Class: Remote SQL injection vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: A user with privileges to grant membership to any group
~ (i.e. usually an administrator) can trick editusers.cgi
~ into executing arbitrary SQL.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244272
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory
are included in the 2.16.6 and 2.18rc1 releases. Upgrading to these
releases will protect installations from possible exploits of these
issues.
Full release downloads, patches to upgrade Bugzilla to 2.16.6 from
previous 2.16.x versions, and CVS upgrade instructions are available at:
~ http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:
Vlad Dascalu
Laran Evans
Jouni Heikniemi
Felix Hieronymi
Byron Jones
Gervase Markham
Dave Miller
Gabriel Millerd
Joel Peshkin
Christian Reis
General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.
- -30-
- --
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA8HpX0YeDAOcbS44RAphsAJ9czTa994vPqcCB5M6nmzi2qf1QUwCgnUiq
txjxqfRC+96Qm6whxshfM4s=
=RPO1
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
