3.2.9, 3.4.9, 3.6.3, and 4.0rc1 Security Advisory

Monday, January 24, 2011
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

Recently, Mozilla expanded its security bug bounty program to include web
applications (http://www.mozilla.org/security/bug-bounty.html). As a result,
several new security issues affecting Bugzilla were discovered:

* A weakness in Bugzilla could allow a user to gain unauthorized access
  to another Bugzilla account.

* A weakness in the Perl CGI.pm module allows injecting HTTP headers
  and content to users via several pages in Bugzilla.

* The new user autocomplete functionality in Bugzilla 4.0 is vulnerable
  to a cross-site scripting attack.

* The new automatic duplicate detection functionality in Bugzilla 4.0
  is vulnerable to a cross-site scripting attack.

* If you put a harmful "javascript:" or "data:" URL into Bugzilla's
  "URL" field, then there are multiple situations in which Bugzilla
  will unintentionally make that link clickable.

* Various pages lack protection against cross-site request forgeries.

All affected installations are encouraged to upgrade as soon as
possible.

Vulnerability Details
=====================

Class:       Account Compromise
Versions:    2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: It was possible for a user to gain unauthorized access to
             any Bugzilla account in a very short amount of time (short
             enough that the attack is highly effective). This is a
             critical vulnerability that should be patched immediately
             by all Bugzilla installations.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621591
             https://bugzilla.mozilla.org/show_bug.cgi?id=619594
CVE Number:  CVE-2010-4568

Class:       HTTP Response Splitting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: By inserting particular strings into certain URLs, it was
             possible to inject both headers and content to any
             browser.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
             https://bugzilla.mozilla.org/show_bug.cgi?id=621572
             http://avatraxiom.livejournal.com/104105.html
             http://cwe.mitre.org/data/definitions/113.html
CVE Number:  CVE-2010-2761, CVE-2010-4411, CVE-2010-4572

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
             autocomplete mechanism for all fields where a username
             is entered. This mechanism was vulnerable to a cross-site
             scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619637
CVE Number:  CVE-2010-4569

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the
             bug entry page for automatically detecting if the bug
             you are filing is a duplicate of another existing bug.
             This mechanism was vulnerable to a cross-site scripting
             attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619648
CVE Number:  CVE-2010-4570

Class:       Cross-Site Scripting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Bugzilla has a "URL" field that can contain several types
             of URL, including "javascript:" and "data:" URLs. However,
             it does not make "javascript:" and "data:" URLs into
             clickable links, to protect against cross-site scripting
             attacks or other attacks. It was possible to bypass this
             protection by adding spaces into the URL in places that
             Bugzilla did not expect them. Also, "javascript:" and 
             "data:" links were *always* shown as clickable to
             logged-out users.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619588
             https://bugzilla.mozilla.org/show_bug.cgi?id=628034
CVE Number:  CVE-2010-4567, CVE-2011-0048

Class:       Cross-Site Request Forgery
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Various pages were vulnerable to Cross-Site Request 
             Forgery attacks. Most of these issues are not as serious
             as previous CSRF vulnerabilities. Some of these issues
             were only addressed on more recent branches of Bugzilla
             and not fixed in earlier branches, in order to avoid
             changing behavior that external applications may depend
             on. The links below in "References" describe which issues
             were fixed on which branches.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
             https://bugzilla.mozilla.org/show_bug.cgi?id=621105
             https://bugzilla.mozilla.org/show_bug.cgi?id=621107
             https://bugzilla.mozilla.org/show_bug.cgi?id=621108
             https://bugzilla.mozilla.org/show_bug.cgi?id=621109
             https://bugzilla.mozilla.org/show_bug.cgi?id=621110
CVE Number:  CVE-2011-0046

Vulnerability Solutions
=======================

The fixes for these issues are included in the 3.2.10, 3.4.10, 3.6.4,
and 4.0rc2 releases. Upgrading to a release with the relevant fixes
will protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the bugzilla.mozilla.org "References" URLs for the
vulnerabilities.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/

Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Willem Pinckaers
Anonymous ("mozilla11")
Michal Zalewski
Michael Brooks (Sitewatch)
José A. Vázquez
Reed Loden
Frédéric Buclin
Max Kanat-Alexander
David Lawrence
Mark Stosberg
Byron Jones
Guy Pyrzak

We would especially like to thank Willem Pinckaers of Pine Digital
Security for discovering--and providing a proof-of-concept exploit
for--the rather complex but very serious Account Compromise issue.

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.