Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bugzilla Input Validation Hole in 'quips' Feature Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005719 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 27 2002
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.10 and prior versions; but only if upgraded since then
|
Description: An input validation vulnerability was reported in the Bugzilla bug tracking system. A remote user can conduct cross-site scripting attacks against Bugzilla users.
It is reported that the Bugzilla 'quips' feature is vulnerable on systems that had Bugzilla 2.10 or prior versions installed and
then upgraded from that point. Users that installed version 2.12 (released 2001 Apr 27) or later versions are not affected. Users
that do not enable 'quips' are also not affected.
It is reported that the display of existing quips from the "show all quips"
choice on the quips management page is not properly escaped. Older quips that were entered into the database prior to the version
upgrade are displayed without proper filtering to remove HTML code.
A remote user that had entered a quip containing HTML code
could cause arbitrary scripting code to be executed by the target user's browser when the target user chooses to "show all quips."
The code will originate from the site running Bugzilla and will run in the security context of that site. As a result, the code
will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data
recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Bugzilla,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: The vendor has released a fixed version (2.17.1), available at:
http://www.bugzilla.org/
Patches for 2.14.4 and 2.16.1 are
available in the Source Message.
The vendor recommends that you audit the contents of your quips file to insure that it does
not contain HTML. Quips are stored in the file 'data/comments' in Bugzilla 2.14.x and 2.16.x, and in the database, in a 'quips'
table, in 2.17.x).
|
Vendor URL: bugzilla.mozilla.org/show_bug.cgi?id=179329 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: David Miller <justdave@syndicomm.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 26 Nov 2002 15:34:12 -0500
From: David Miller <justdave@syndicomm.com>
Subject: XSS vulnerability in Bugzilla if upgraded from 2.10 or earlier
|
Bugzilla Security Advisory
November 26th, 2002
Severity: Minor
Summary
=======
The Bugzilla team recently discovered a cross-site scripting vulnerability.
The vulnerability, present in Bugzilla's 'quips' feature, affects all
installations who originally installed Bugzilla 2.10 or earlier and which
have been upgraded from there.
If you originally installed version 2.12 (released 2001 Apr 27) or later,
or you have never had quips enabled, then you are not vulnerable to this
attack.
Vulnerability Details
=====================
This vulnerability affects installations using the "quips" feature to put
short, user-submitted phrases at the top of bug lists.
2.10 and earlier versions allowed users to enter unchecked input which was
displayed as-entered back to the user. Version 2.12 and later attempted to
fix this problem by preventing users from entering HTML in new quips, and
also escaping existing quips when displaying them to users in the bug list.
However, the output of existing quips from "show all quips" choice on the
quips management page was not properly escaped, so any *existing* quips
still in the database from before the input checks were put in place would
be displayed to a user with unescaped HTML if they chose to view a list of
all of the existing quips at once.
If you originally installed a version older than 2.12, had quips enabled,
and have not cleaned up your quips database since you upgraded to 2.12,
your installation may contain scripting attacks in your quips file from
ages ago, still able to affect end users.
Vulnerability Solutions
=======================
The best way to fix this vulnerability is to audit the contents of your
quips file.
Quips are stored in the file 'data/comments' in Bugzilla 2.14.x and 2.16.x,
and in the database, in a 'quips' table, in 2.17.x).
In addition to auditing quips, Bugzilla administrators can also force quips
to be properly encoded to prevent HTML attacks by applying one of the following
one-line patches.
The Bugzilla team recommends both auditing your quips and applying the patches.
Because of the low severity of this vulnerability, the small size of the required changes to fix it,
and the small number of installations
believed in existence at the point in time when this was corrected for new installations, we have no
t released any updated versions
of Bugzilla, however, these fixes have been checked into the associated branches (so if you update v
ia CVS you'll get them) and will
be included in any future versions we release.
Please note that Bugzilla 2.14.x will no longer be supported after December 31, 2002, so Bugzilla 2.1
4.x sites are encouraged to upgrade
to 2.16.1.
Patch for Bugzilla 2.14.4:
Index: quips.cgi
===================================================================
RCS file: /cvsroot/mozilla/webtools/bugzilla/quips.cgi,v
retrieving revision 1.1
diff -u -r1.1 quips.cgi
--- quips.cgi 29 May 2001 04:01:48 -0000 1.1
+++ quips.cgi 22 Nov 2002 21:04:08 -0000
@@ -49,7 +49,7 @@
if (open (COMMENTS, "<data/comments")) {
while (<COMMENTS>) {
- print $_,"<br>\n";
+ print html_quote($_),"<br>\n";
}
close COMMENTS;
}
Patch for Bugzilla 2.16.1:
Index: template/en/default/list/quips.html.tmpl
===================================================================
RCS file:
/cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl,v
retrieving revision 1.4.2.1
diff -u -r1.4.2.1 quips.html.tmpl
--- template/en/default/list/quips.html.tmpl 23 May 2002 08:14:23 -0000 1.4.2.1
+++ template/en/default/list/quips.html.tmpl 22 Nov 2002 21:19:22 -0000
@@ -59,7 +59,7 @@
</h2>
<ul>
[% FOREACH quip = quips %]
- <li>[% quip %]</li>
+ <li>[% quip FILTER html %]</li>
[% END %]
</ul>
[% ELSE %]
For Bugzilla 2.17 from CVS:
Run a 'cvs update' to pick up the fix.
Bugzilla 2.17.1 already contains this fix.
For More Information
====================
References: Bugzilla bug 179329
http://bugzilla.mozilla.org/show_bug.cgi?id=179329
General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
these forums.
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
|
|
Go to the Top of This SecurityTracker Archive Page
|
