2.14.4, 2.16.1 (upgraded from 2.10 or earlier) Security Advisory
Tuesday, Nov 26th, 20022.14.4, 2.16.1 (upgraded from 2.10 or earlier) Security Advisory
November 26th, 2002Severity: Minor Summary ======= The Bugzilla team recently discovered a cross-site scripting vulnerability. The vulnerability, present in Bugzilla's 'quips' feature, affects all installations who originally installed Bugzilla 2.10 or earlier and which have been upgraded from there. If you originally installed version 2.12 (released 2001 Apr 27) or later, or you have never had quips enabled, then you are not vulnerable to this attack. Vulnerability Details ===================== This vulnerability affects installations using the "quips" feature to put short, user-submitted phrases at the top of bug lists. 2.10 and earlier versions allowed users to enter unchecked input which was displayed as-entered back to the user. Version 2.12 and later attempted to fix this problem by preventing users from entering HTML in new quips, and also escaping existing quips when displaying them to users in the bug list. However, the output of existing quips from "show all quips" choice on the quips management page was not properly escaped, so any *existing* quips still in the database from before the input checks were put in place would be displayed to a user with unescaped HTML if they chose to view a list of all of the existing quips at once. If you originally installed a version older than 2.12, had quips enabled, and have not cleaned up your quips database since you upgraded to 2.12, your installation may contain scripting attacks in your quips file from ages ago, still able to affect end users. Vulnerability Solutions ======================= The best way to fix this vulnerability is to audit the contents of your quips file. Quips are stored in the file 'data/comments' in Bugzilla 2.14.x and 2.16.x, and in the database, in a 'quips' table, in 2.17.x). In addition to auditing quips, Bugzilla administrators can also force quips to be properly encoded to prevent HTML attacks by applying one of the following one-line patches. The Bugzilla team recommends both auditing your quips and applying the patches. Because of the low severity of this vulnerability, the small size of the required changes to fix it, and the small number of installations believed in existence at the point in time when this was corrected for new installations, we have not released any updated versions of Bugzilla, however, these fixes have been checked into the associated branches (so if you update via CVS you'll get them) and will be included in any future versions we release. Please note that Bugzilla 2.14.x will no longer be supported after December 31, 2002, so Bugzilla 2.14.x sites are encouraged to upgrade to 2.16.1. Patch for Bugzilla 2.14.4: Index: quips.cgi =================================================================== RCS file: /cvsroot/mozilla/webtools/bugzilla/quips.cgi,v retrieving revision 1.1 diff -u -r1.1 quips.cgi --- quips.cgi 29 May 2001 04:01:48 -0000 1.1 +++ quips.cgi 22 Nov 2002 21:04:08 -0000 @@ -49,7 +49,7 @@ if (open (COMMENTS, "<data/comments")) { while (<COMMENTS>) { - print $_,"<br>\n"; + print html_quote($_),"<br>\n"; } close COMMENTS; } Patch for Bugzilla 2.16.1: Index: template/en/default/list/quips.html.tmpl =================================================================== RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl,v retrieving revision 1.4.2.1 diff -u -r1.4.2.1 quips.html.tmpl --- template/en/default/list/quips.html.tmpl 23 May 2002 08:14:23 -0000 1.4.2.1 +++ template/en/default/list/quips.html.tmpl 22 Nov 2002 21:19:22 -0000 @@ -59,7 +59,7 @@ </h2> <ul> [% FOREACH quip = quips %] - <li>[% quip %]</li> + <li>[% quip FILTER html %]</li> [% END %] </ul> [% ELSE %] For Bugzilla 2.17 from CVS: Run a 'cvs update' to pick up the fix. Bugzilla 2.17.1 already contains this fix. For More Information ==================== References: Bugzilla bug 179329 https://bugzilla.mozilla.org/show_bug.cgi?id=179329 General information about the Bugzilla bug-tracking system can be found at https://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; https://www.mozilla.org/community.html has directions for accessing these forums.