|
|
Summary=0D
========0D
=0D
Bugzilla is a Web-based bug-tracking system, used by a large number of=0D
software projects.=0D
=0D
This advisory covers three security issues that have recently been=0D
fixed in the Bugzilla code:=0D
=0D
* Users without the "canconfirm" privilege could enter a bug as NEW=0D
or ASSIGNED by using the XML-RPC interface.=0D
=0D
* When viewing several bugs at once, there was a Cross-Site Scripting hole.=0D
=0D
* The inbound email interface allowed you to set the Reporter via the=0D
text of the email, instead of just using the From header.=0D
=0D
All affected installations are encouraged to upgrade as soon as possible.=0D
=0D
Vulnerability Details=0D
======================0D
=0D
Class: Unauthorized Bug Change=0D
Versions: 3.1.3=0D
Description: Users normally need the "canconfirm" privilege to put bugs=0D
in the NEW or ASSIGNED state. However, users were being =0D
allowed to create bugs in the NEW or ASSIGNED state if they=0D
were creating the bug through the XML-RPC interface.=0D
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=415471=0D
=0D
=0D
Class: Cross-Site Scripting=0D
Versions: 2.17.2 and higher=0D
Description: When using the "Format for Printing" view of a bug (or=0D
the "Long Format" of a bug list, which is the same thing),=0D
there was a cross-site scripting hole--arbitrary text=0D
from a particular URL parameter could be injected into the=0D
page without filtering.=0D
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=425665=0D
=0D
=0D
Class: Account Impersonation (Minor)=0D
Versions: 2.23.4 and higher=0D
Description: By design, email_in.pl always believes the "From" header as=0D
the user making changes or uses that as the reporter of the=0D
bug. However, you could also specify the changer/reporter in=0D
the body of the email and override the "From" header, possibly=0D
bypassing some security checks set up by administrators=0D
against the "From" header.=0D
For most installations this is a minor or inconsequential=0D
issue, as the documentation of email_in.pl already explains=0D
that it does not do any user authentication (it just=0D
believes the "From" header), so installations using it should=0D
not have been expecting user account security (though they=0D
may have had checks against the "From" header--that is what=0D
makes this a security issue).=0D
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=419188=0D
=0D
=0D
Vulnerability Solutions=0D
========================0D
=0D
The fixes for the security bugs mentioned in this advisory are=0D
included in the 3.0.4, 3.1.4, 2.22.4, and 2.20.6 releases. Upgrading=0D
to these releases will protect installations from possible exploits of=0D
these issues.=0D
=0D
Full release downloads, patches to upgrade Bugzilla from previous=0D
versions, and CVS upgrade instructions are available at:=0D
=0D
http://www.bugzilla.org/download/=0D
=0D
=0D
Credits=0D
========0D
=0D
The Bugzilla team wish to thank the following people for their=0D
assistance in locating, advising us of, and assisting us to fix=0D
these issues:=0D
=0D
Fr=E9d=E9ric Buclin=0D
Max Kanat-Alexander=0D
Bradley Baetz=0D
Loren Butler=0D
Marc Schumann=0D
=0D
General information about the Bugzilla bug-tracking system can be found=0D
at:=0D
=0D
http://www.bugzilla.org/=0D
=0D
Comments and follow-ups can be directed to the mozilla.support.bugzilla=0D
newsgroup or the support-bugzilla mailing list.=0D
http://www.bugzilla.org/support/ has directions for accessing these=0D
forums.