2.12 Bugzilla Security Advisory

Apr 27th, 2001
Author: Matthew Tuck ([email protected])

Overview

Users of Bugzilla are recommended to either update to version 2.12 of
Bugzilla, or apply the patches at the end of this advisory.

Several instances where untrusted content could be passed to a system
call, allowing remote users to run system commands as the web server have
been fixed.

Furthermore, subsequent to prior advice, the files that it is recommended
you block from remote access has changed in 2.12.  Please see the release
notes for more details.

Patches To Apply To 2.10 If Not Upgrading To 2.12

diff -u -r1.56 -r1.57
--- process_bug.cgi	2000/05/08 22:00:38	1.56
+++ process_bug.cgi	2000/05/17 21:29:33	1.57
@@ -512,7 +512,7 @@
         $::FORM{'comment'} .= "\n\n*** This bug has been marked as a duplicate of $num ***";
 
         print "<TABLE BORDER=1><TD><H2>Notation added to bug $num</H2>\n";
-        system("./processmail $num $::FORM{'who'}");
+        system("./processmail", $num, $::FORM{'who'});
         print "<TD><A HREF=\"show_bug.cgi?id=$num\">Go To BUG# $num</A></TABLE>\n";
 
         last SWITCH;
@@ -901,7 +901,7 @@
 
     foreach my $k (keys(%dependencychanged)) {
         print "<TABLE BORDER=1><TD><H2>Checking for dependency changes on bug $k</H2>\n";
-        system("./processmail $k $::FORM{'who'}");
+        system("./processmail", $k, $::FORM{'who'});
         print "<TD><A HREF=\"show_bug.cgi?id=$k\">Go To BUG# $k</A></TABLE>\n";     }


diff -u -r1.26 -r1.27
--- post_bug.cgi	2000/04/26 19:35:51	1.26
+++ post_bug.cgi	2000/05/17 21:29:32	1.27
@@ -229,7 +229,7 @@
 }
 
 print "<TABLE BORDER=1><TD><H2>Bug $id posted</H2>\n";
-system("./processmail $id $::COOKIE{'Bugzilla_login'}");
+system("./processmail", $id, $::COOKIE{'Bugzilla_login'});
 print "<TD><A HREF=\"show_bug.cgi?id=$id\">Back To BUG# $id</A></TABLE>\n";
 
 print "<BR><A HREF=\"createattachment.cgi?id=$id\">Attach a file to this bug</a>\n";


diff -u -r1.10 -r1.11
--- createattachment.cgi	2000/03/07 18:22:50	1.10
+++ createattachment.cgi	2000/05/17 21:29:32	1.11
@@ -106,7 +106,7 @@
                   "Created an attachment (id=$attachid)\n$desc\n");
 
     print "<TABLE BORDER=1><TD><H2>Attachment to bug $id created</H2>\n";
-    system("./processmail $id $::COOKIE{'Bugzilla_login'}");
+    system("./processmail", $id, $::COOKIE{'Bugzilla_login'});
     print "<TD><A HREF=\"show_bug.cgi?id=$id\">Go Back to BUG# $id</A></TABLE>\n";
 }


diff -u -r1.13 -r1.14
--- backdoor.cgi	2000/03/07 20:03:52	1.13
+++ backdoor.cgi	2000/05/17 21:29:31	1.14
@@ -175,4 +175,4 @@
 }
 
 print "Created bugzilla bug $zillaid\n";
-system("./processmail $zillaid");
+system("./processmail", $zillaid);