3.2, 3.0.6, 2.22.6, and 3.3.1 Security Advisory

Feb 2, 2009
Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers three security issues that have recently been
fixed in the Bugzilla code:

* It was possible for users to upload a malicious attachment to
  that would run in the context of Bugzilla's domain (thus 
  circumventing cross-site request protections in browsers).

* Bug updating was vulnerable to a cross-site request forgery.
  Note that this issue was only fixed for 3.2.1 and 3.3.2 even though
  all versions of Bugzilla are affected (see below for an explanation).

* Keywords, unused flag types, and saved searches could be deleted via
  cross-site request forgery. Also, a user's preferences could be
  changed via cross-site request forgery.

All affected installations are encouraged to upgrade as soon as 
possible.

Vulnerability Details
=====================

Class:       Abuse of Functionality (Attachments)
Versions:    Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: Bugzilla users can upload HTML or JavaScript attachments
             that are then viewed by other users in their web browsers.
             A malicious user could trick another Bugzilla user into
             viewing a malicious attachment that could then operate
             as that user. Since Bugzilla would view attachments
             using the same domain name as the rest of the application,
             such malicious attachments could access the cookies of
             the user and perform other activities usually restricted
             by the cross-site request protections of web browsers.

             Bugzilla now provides a two-fold solution to this problem:

             Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent
             users from viewing attachments in their browsers, by
             default. There is a new parameter named
             "allow_attachment_display" that administrators can enable
             to override this protection.

             Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1,
             and 3.3.2 allow administrators to specify that attachments
             should be viewed using a different domain. This increases
             safety for the end user by enabling the browser's
             cross-domain request protections.

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=38862
             https://bugzilla.mozilla.org/show_bug.cgi?id=472206


Class:       Cross-Site Request Forgery
Versions:    Every version before 3.2.1 or 3.3.2
Fixed In:    3.2.1, 3.3.2
Description: Bug updating was vulnerable to a cross-site request
             forgery, because it did not validate that calls to
             process_bug.cgi actually came from Bugzilla.

             Bugzilla now generates a token that is validated when
             process_bug.cgi is called. This may break automated
             scripts that call process_bug.cgi directly, unless they
             first load show_bug.cgi to get a valid token.

             Unfortunately, a fix for this issue was only possible for
             3.2.1 and 3.3.2. Fixing it on earlier branches would have
             broken Bugzilla's mid-air collision functionality.

             It should be noted that this issue actually was not a
             secret--it has been public knowledge for quite some time.
             It is only included in this security advisory to note that
             a fix is now available.

Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=26257


Class:       Cross-Site Request Forgery
Versions:    All Versions (for keywords and user preferences), 2.17 
             and higher (for flags), 3.0 and higher (for saved
             searches)
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: When deleting saved searches, keywords, or unused 
             (never set on any bug or attachment) flags, or when a user
             updated their preferences, Bugzilla did not properly 
             validate that the request came from Bugzilla. So, it was
             possible to trick a user into click on a link that would
             perform these actions without their consent.

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=466692
             https://bugzilla.mozilla.org/show_bug.cgi?id=466748
             https://bugzilla.mozilla.org/show_bug.cgi?id=472362


Vulnerability Solutions
=======================

The fix for the security bugs mentioned in this advisory are included
in the 3.3.2, 3.2.1, 3.0.7, and 2.22.7 releases (though certain issues
are only fixed for certain versions, as noted above). Upgrading to a
release with the relevant fix will protect your installation from
possible exploits of these issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
these issues:

Frédéric Buclin
Stephen Lee
Jesse Ruderman
Terry Weissman
Max Kanat-Alexander
Teemu Mannermaa
Mozilla Corporation

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.