2.16.2, 2.17.3 Security Advisory
Thursday, Apr 24th, 20032.16.2, 2.17.3 Security Advisory
April 24th, 2003Summary ======= All Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.3, which was released today. Development snapshots prior to version 2.17.4 are also affected, so if you are using a development snapshot, you should obtain a newer one (2.17.4) or use CVS to update. This advisory covers multiple situations where unescaped raw HTML submitted by users could be echoed back to the user, and a situation where temporary files were not written to verified-unique filenames, thus exposing them to potential symlink attacks by local users with sufficient permissions. Vulnerability Details ===================== The following three security issues were fixed in versions 2.16.3 and 2.17.4. Multiple Cross-Site Scripting Vulnerabilities in Default Templates ------------------------------------------------------------------ Bugzilla output shown to end-users is generated via HTML templates. One of the core Bugzilla contributors recently contributed an automated tool which detects failure-to-filter situations in the HTML templates - situations where untrusted data was not properly filtered for HTML metacharacters prior to outputting to end-users, allowing an attacker to insert a script into the output by submitting data to the server in a specially formatted manner. Several exploitable instances were discovered in the default English templates that are shipped with both 2.16.2 and 2.17.3 and have been closed with this release. We have received confirmation from the maintainers of the German and Russian localized templates that corrected versions of those templates sets should be available within 24 hours of this announcement for the versions they support. For corrected versions of other localizations, please consult the localization's maintainer. Bugzilla's output did not use HTML templates prior to version 2.16. (Bugzilla Bug 192677 / BugTraq ID 6868) Cross-Site Scripting vulnerability in local dependency graphs ------------------------------------------------------------- Bugzilla contains a feature which allows users to generate visual graphs of the dependency relationships between bugs. In the past this was done by using a remote server running the "Webdot" software. In version 2.16, a feature was introduced which provided the capability to use a locally-installed copy of the GraphViz suite to generate the graph files directly on the Bugzilla server instead of using a remote server. This option is not enabled by default. Bugzilla does not properly escape the bug summaries placed in the ALT and NAME attributes to the AREA tags in the client-side image map which is generated to go with the visual graph. This means an attacker could place scripts in a graph by including a script in a specifically formatted manner as part of a bug summary. You are vulnerable if the "webdotbase" configuration parameter contains a local pathname to an installation of "dot". This bug is related to a feature added to Bugzilla in version 2.16, and thus does not affect prior versions. (Bugzilla Bug 192661 / BugTraq ID 6861) Insecure Handling of Temporary Filenames ---------------------------------------- There are multiple places where Bugzilla creates temporary files in world- or group-writable directories without verifying that the filename is unused. A user with local access to the server could potentially create a properly-named symlink within those directories pointing at a file which the webserver had access to, thus causing Bugzilla to overwrite that file. These instances have been fixed in both 2.16.3 and 2.17.4 and affect all prior versions of Bugzilla. (Bugzilla Bug 197153 / BugTraq ID 7412) Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.3 and 2.17.4 releases. Upgrading to these releases will protect installations against exploitation of these security bugs. Patches to upgrade Bugzilla to 2.16.3 are available at: https://ftp.mozilla.org/pub/webtools/ (these patches are only valid for 2.16.2, 2.16.1, and 2.16 users). Full release downloads and CVS upgrade instructions are available at: https://www.bugzilla.org/download.html Links to the distribution sites of localized template sets can be found at: https://www.bugzilla.org/download.html#localizations Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating and advising us of these situations: Jouni Heikniemi - for finding the XSS in local dependency graphs Gervase Markham - for contributing the automated testing tool which located the XSS issues in the default template set Jonathan Schatz - for discovering the insecure temporary filename handling References ========== Complete bug reports and the specific patches for the security bugs covered herein may be obtained on the following bug reports: XSS in local dependency graphing: => https://bugzilla.mozilla.org/show_bug.cgi?id=192661 XSS failure to filter in default templates: => https://bugzilla.mozilla.org/show_bug.cgi?id=192677 Insecure handling of temporary filenames => https://bugzilla.mozilla.org/show_bug.cgi?id=197153 General information about the Bugzilla bug-tracking system can be found at https://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; https://www.mozilla.org/community.html has directions for accessing these forums. -30-