2.16.2, 2.17.3 Security Advisory

Thursday, Apr 24th, 2003

2.16.2, 2.17.3 Security Advisory

April 24th, 2003
Summary
=======

All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.3, which was released today.

Development snapshots prior to version 2.17.4 are also affected, so if you
are using a development snapshot, you should obtain a newer one (2.17.4) or
use CVS to update.

This advisory covers multiple situations where unescaped raw HTML submitted by
users could be echoed back to the user, and a situation where temporary
files were not written to verified-unique filenames, thus exposing them to
potential symlink attacks by local users with sufficient permissions.


Vulnerability Details
=====================

The following three security issues were fixed in versions 2.16.3 and 2.17.4.

Multiple Cross-Site Scripting Vulnerabilities in Default Templates
------------------------------------------------------------------

Bugzilla output shown to end-users is generated via HTML templates.  One of
the core Bugzilla contributors recently contributed an automated tool which
detects failure-to-filter situations in the HTML templates - situations
where untrusted data was not properly filtered for HTML metacharacters
prior to outputting to end-users, allowing an attacker to insert a script
into the output by submitting data to the server in a specially formatted
manner.

Several exploitable instances were discovered in the default English
templates that are shipped with both 2.16.2 and 2.17.3 and have been closed
with this release.  We have received confirmation from the maintainers of
the German and Russian localized templates that corrected versions of those
templates sets should be available within 24 hours of this announcement for
the versions they support.  For corrected versions of other localizations,
please consult the localization's maintainer.

Bugzilla's output did not use HTML templates prior to version 2.16.

(Bugzilla Bug 192677 / BugTraq ID 6868)


Cross-Site Scripting vulnerability in local dependency graphs
-------------------------------------------------------------

Bugzilla contains a feature which allows users to generate visual graphs of
the dependency relationships between bugs.  In the past this was done by
using a remote server running the "Webdot" software.  In version 2.16, a
feature was introduced which provided the capability to use a
locally-installed copy of the GraphViz suite to generate the graph files
directly on the Bugzilla server instead of using a remote server.  This
option is not enabled by default.

Bugzilla does not properly escape the bug summaries placed in the ALT and
NAME attributes to the AREA tags in the client-side image map which is
generated to go with the visual graph.  This means an attacker could place
scripts in a graph by including a script in a specifically formatted manner
as part of a bug summary.

You are vulnerable if the "webdotbase" configuration parameter contains
a local pathname to an installation of "dot".

This bug is related to a feature added to Bugzilla in version 2.16, and
thus does not affect prior versions.

(Bugzilla Bug 192661 / BugTraq ID 6861)


Insecure Handling of Temporary Filenames
----------------------------------------

There are multiple places where Bugzilla creates temporary files in world-
or group-writable directories without verifying that the filename is
unused.  A user with local access to the server could potentially create a
properly-named symlink within those directories pointing at a file which
the webserver had access to, thus causing Bugzilla to overwrite that file.

These instances have been fixed in both 2.16.3 and 2.17.4 and affect all
prior versions of Bugzilla.

(Bugzilla Bug 197153 / BugTraq ID 7412)


Vulnerability Solutions
=======================

The fixes for all of the security bugs mentioned in this advisory are included
in the 2.16.3 and 2.17.4 releases.  Upgrading to these releases will
protect installations against exploitation of these security bugs.

Patches to upgrade Bugzilla to 2.16.3 are available at:
  https://ftp.mozilla.org/pub/webtools/
  (these patches are only valid for 2.16.2, 2.16.1, and 2.16 users).

Full release downloads and CVS upgrade instructions are available at:
  https://www.bugzilla.org/download.html

Links to the distribution sites of localized template sets can be found at:
  https://www.bugzilla.org/download.html#localizations


Credits
=======

The Bugzilla team wish to thank the following people for their assistance
in locating and advising us of these situations:

Jouni Heikniemi - for finding the XSS in local dependency graphs
Gervase Markham - for contributing the automated testing tool which
     located the XSS issues in the default template set
Jonathan Schatz - for discovering the insecure temporary filename handling


References
==========

Complete bug reports and the specific patches for the security bugs covered
herein may be obtained on the following bug reports:

   XSS in local dependency graphing:
   => https://bugzilla.mozilla.org/show_bug.cgi?id=192661

   XSS failure to filter in default templates:
   => https://bugzilla.mozilla.org/show_bug.cgi?id=192677

   Insecure handling of temporary filenames
   => https://bugzilla.mozilla.org/show_bug.cgi?id=197153

General information about the Bugzilla bug-tracking system can be found at
   https://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; https://www.mozilla.org/community.html has directions for accessing
these forums.

-30-