Bugzilla Insecure Temporary File Processing May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1006648 |
|
SecurityTracker URL: http://securitytracker.com/id/1006648
|
|
CVE Reference:
CVE-2003-0603
(Links to External Site)
|
Updated: Oct 1 2007
|
Original Entry Date: Apr 26 2003
|
Impact:
Modification of system information, Modification of user information, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.16.3 and prior versions; 2.17.4 and prior versions
|
Description:
A vulnerability was reported in the Bugzilla bug tracking system. A local user may be able to obtain elevated privileges on the system.
It is reported that Bugzilla creates temporary files in some world-writable or group-writable directories without checking to see if the filename already exists or not. A local user can create a symbolic link from the temporary file name to another critical file on the system. Then, when Bugzilla runs, Bugzilla will overwrite the linked file and then may eventually delete the linked file. A local user may be able to exploit this to gain elevated privileges on the system.
According to the vendor, the showdependancygraph.cgi and GenerateVersionTable function is affected.
The vendor credits Jonathan Schatz with discovering this flaw.
|
Impact:
A local user can cause Bugzilla to overwrite and possibly delete files on the system with the privileges of the Bugzilla process.
|
Solution:
The vendor has released fixed versions (2.16.3 and 2.17.4), available at:
http://www.bugzilla.org/download.html
Patches to upgrade from Bugzilla 2.16, 2.16.1, and 2.16.2 to the fixed 2.16.3 version are available at:
http://ftp.mozilla.org/pub/webtools/
|
Vendor URL: www.bugzilla.org/security/2.16.2/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 25 Apr 2003 04:40:33 -0400
Subject: [BUGZILLA] Security Advisory - XSS, insecure temporary filenames
|
Bugzilla Security Advisory
April 24, 2003
Summary
=======
All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.3, which was released today.
Development snapshots prior to version 2.17.4 are also affected, so if you
are using a development snapshot, you should obtain a newer one (2.17.4) or
use CVS to update.
This advisory covers multiple situations where unescaped raw HTML submitted by
users could be echoed back to the user, and a situation where temporary
files were not written to verified-unique filenames, thus exposing them to
potential symlink attacks by local users with sufficient permissions.
Vulnerability Details
=====================
The following three security issues were fixed in versions 2.16.3 and 2.17.4.
Multiple Cross-Site Scripting Vulnerabilities in Default Templates
------------------------------------------------------------------
Bugzilla output shown to end-users is generated via HTML templates. One of
the core Bugzilla contributors recently contributed an automated tool which
detects failure-to-filter situations in the HTML templates - situations
where untrusted data was not properly filtered for HTML metacharacters
prior to outputting to end-users, allowing an attacker to insert a script
into the output by submitting data to the server in a specially formatted
manner.
Several exploitable instances were discovered in the default English
templates that are shipped with both 2.16.2 and 2.17.3 and have been closed
with this release. We have received confirmation from the maintainers of
the German and Russian localized templates that corrected versions of those
templates sets should be available within 24 hours of this announcement for
the versions they support. For corrected versions of other localizations,
please consult the localization's maintainer.
Bugzilla's output did not use HTML templates prior to version 2.16.
(Bugzilla Bug 192677 / BugTraq ID 6868)
Cross-Site Scripting vulnerability in local dependency graphs
-------------------------------------------------------------
Bugzilla contains a feature which allows users to generate visual graphs of
the dependency relationships between bugs. In the past this was done by
using a remote server running the "Webdot" software. In version 2.16, a
feature was introduced which provided the capability to use a
locally-installed copy of the GraphViz suite to generate the graph files
directly on the Bugzilla server instead of using a remote server. This
option is not enabled by default.
Bugzilla does not properly escape the bug summaries placed in the ALT and
NAME attributes to the AREA tags in the client-side image map which is
generated to go with the visual graph. This means an attacker could place
scripts in a graph by including a script in a specifically formatted manner
as part of a bug summary.
You are vulnerable if the "webdotbase" configuration parameter contains
a local pathname to an installation of "dot".
This bug is related to a feature added to Bugzilla in version 2.16, and
thus does not affect prior versions.
(Bugzilla Bug 192661 / BugTraq ID 6861)
Insecure Handling of Temporary Filenames
----------------------------------------
There are multiple places where Bugzilla creates temporary files in world-
or group-writable directories without verifying that the filename is
unused. A user with local access to the server could potentially create a
properly-named symlink within those directories pointing at a file which
the webserver had access to, thus causing Bugzilla to overwrite that file.
These instances have been fixed in both 2.16.3 and 2.17.4 and affect all
prior versions of Bugzilla.
(Bugzilla Bug 197153 / BugTraq ID 7412)
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory are included
in the 2.16.3 and 2.17.4 releases. Upgrading to these releases will
protect installations against exploitations of these security bugs.
Patches to upgrade Bugzilla to 2.16.3 are available at:
http://ftp.mozilla.org/pub/webtools/
(these patches are only valid for 2.16.2, 2.16.1, and 2.16 users).
Full release downloads and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Links to the distribution sites of localized template sets can be found at:
http://www.bugzilla.org/download.html#localizations
Credits
=======
The Bugzilla team wish to thank the following people for their assistance
in locating and advising us of these situations:
Jouni Heikniemi - for finding the XSS in local dependency graphs
Gervase Markham - for contributing the automated testing tool which
located the XSS issues in the default template set
Jonathan Schatz - for discovering the insecure temporary filename handling
References
==========
Complete bug reports and the specific patches for the security bugs covered
herein may be obtained on the following bug reports:
XSS in local dependency graphing:
=> http://bugzilla.mozilla.org/show_bug.cgi?id=192661
XSS failure to filter in default templates:
=> http://bugzilla.mozilla.org/show_bug.cgi?id=192677
Insecure handling of temporary filenames
=> http://bugzilla.mozilla.org/show_bug.cgi?id=197153
General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
these forums.
-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
|
|
