2.16.7, 2.18rc3, 2.19.1 Security Advisory

January 6, 2005

Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers a single cross-site scripting issue that has
recently been discovered and fixed in the Bugzilla code: If a malicious
user links to a Bugzilla site using a specially crafted URL, a script in
the error page generated by Bugzilla will display the URL unaltered in
the page, allowing scripts embedded in the URL to execute.  Not all
browsers are affected.  Many web browsers prevent these types of URLs
from being sent in the first place.  A list of browsers that we know are
or are not affected is in the Vulnerability Details section below.

At this time, we are very close to producing a new release of Bugzilla,
however, that release has not yet been completed.  In the mean time, we
felt it was only fair to advise everyone of this issue, since it has
already been made public via at least BugTraq and Secunia as part of a
broader paper covering cross-site scripting on many major websites.

We do have patches available which can be applied to your Bugzilla
installation.


Vulnerability Details
=====================

Class:       Cross-site scripting
Versions:    2.15 through 2.18rc3 and 2.19.1(from cvs)
Description: It is possible to send a carefully crafted URL to Bugzilla
             designed to trigger an error message.  The Internal Error
             message includes javascript code which displays the URL the
             user is visiting.  The javascript code does not escape the
             URL before displaying it, allowing scripts contained in the
             URL to be executed by the browser.  Many browsers do not
             allow unescaped URLs to be sent to a webserver (thus
             complying with RFC 2616 section 2.3.1 and RFC 2396 section
             2.4.3), and are thus immune to this issue.
             Browsers which are known to be immune:
             - Firefox 1.0
             - Mozilla 1.7.5
             - Camino 0.8.2
             - Netscape 7.2
             - Safari 1.2.4
             Browsers known to be susceptible:
             - Internet Explorer 6 SP2
             - Konqueror 3.2
             Browsers not listed here have not been tested.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=272620
CVE Name:    CAN-2004-1061


Vulnerability Solutions
=======================

The fixes for the security bug mentioned in this advisory will be
included in the 2.16.8 and 2.18 releases, and in the first release
candidate of 2.20, none of which are yet available at this writing. In
the mean time, the patch to correct the issue may be downloaded from the
bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=272620 .
Applying the provided patch, or upgrading to these releases once they
are available, will protect installations from possible exploits of this
issue.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Michael Krax
Gervase Markham
Marc Schumann


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/support/ has directions for
accessing these forums.

 -30-