2.18.5, 2.20.2, 2.22, and 2.23.2 Security AdvisoryOctober 15, 2006
Summary ======= Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers six security issues that have recently been fixed in the Bugzilla code: + Sometimes the information put into the <h1> and <h2> tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. + Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited. + attachment.cgi could leak the names of private attachments + The "deadline" field was visible in the XML format of a bug, even to users who were not a member of the "timetrackinggroup." + A malicious user could pass a URL to an admin, and make the admin delete or change something that he had not intended to delete or change. + It is possible to inject arbitrary HTML into the showdependencygraph.cgi page, allowing for a cross-site scripting attack. We strongly advise that 2.18.x users upgrade to 2.18.6. 2.20.x users should upgrade to 2.20.3. 2.22 users, and users of 2.16.x or below, should upgrade to 2.22.1. Development snapshots of 2.23 before 2.23.3 are also vulnerable to all of these issues. If you are using a development snapshot, you should upgrade to 2.23.3, use CVS to update, or apply the patches from the specific bugs listed below. Vulnerability Details ===================== Issue 1 ------- Class: Cross-Site Scripting Versions: 2.15 and above Description: Bugzilla sometimes displays admin-provided data in page headers (meaning the <h1> and <h2> HTML tags of a page). Sometimes, this data was not properly escaped, leading to the possibility of a Cross-Site Scripting vulnerability. For the most part, this was only exploitable by administrators, and so is not of critical severity. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=330555 Issue 2 ------- Class: Cross-Site Scripting Versions: 2.0 and above Description: Bugzilla allows administrators to put HTML in the descriptions of products, components, and other items. It also allows HTML in certain other fields. Before the most recent releases of Bugzilla, this HTML was completely unfiltered. These fields are only editable by certain users, who are specified by the admin. This makes this vulnerability less severe. However, these users could use this exploit to perform Cross-Site Scripting attacks on nearly all users of a particular Bugzilla (including users with higher permission levels than themselves). Bugzilla now allows only certain HTML tags in those fields, protecting users from a Cross-Site Scripting attack. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=206037 Issue 3 ------- Class: Information Leak Versions: 2.17 and above Description: When viewing an attachment in "Diff" mode, a user who is not in the "insidergroup" (the group required to view private attachments) can read the one-line descriptions of all attachments, even "private" attachments. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346086 Issue 4 ------- Class: Information Leak Versions: 2.19.2 and above Description: Bugzilla has a "deadline" field, which is usually only visible to people in the "timetrackinggroup" group. However, it was exposed in the XML format of a bug to all users. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=346564 Issue 5 ------- Class: Security Enhancement Versions: 2.0 and above Description: Bugzilla updates, deletes, and creates data through a web interface. Administrators update things like user accounts through this interface. All of these pages accept URL variables in both GET and POST formats. A malicious user could craft a URL that would edit a user (or any other admin-protected item), and then using a service like TinyURL, could obscure the URL so that an administrator couldn't tell what it was. Then, getting the administrator to click on that URL, the action would be performed, against the administrator's will. This is now prevented. Bugzilla will only accept changes on administrative pages if they come from Bugzilla's own forms. That is, you have to use the form to make changes-- you now cannot just click a URL and accidentally make an administrative change to Bugzilla. Although technically this affects all versions of Bugzilla, it has only been fixed on our most recent release (2.22.1 and our latest development snapshot, 2.23.3), because the fix was too invasive to backport further. Administrators of previous versions of Bugzilla should only click on URLs from users that they fully trust. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=281181 Issue 6 ------- Class: Cross-Site Scripting Versions: 2.15 and above Description: showdependencygraph.cgi is a script that allows you to display a graph of how bugs are related. There is a cross-site scripting vulnerability in this script that allows for arbitrary HTML injection. The user would have to follow a malicious URL in order to trigger the attack--it is not possible for another user to otherwise inject HTML into the page for the current user. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=355728 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.18.6, 2.20.3, 2.22.1, and 2.23.3 releases. Upgrading to these releases will protect installations from possible exploits of these issues. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: https://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these situations: Frédéric Buclin* Dave Miller Gervase Markham Gavin Shelley Max Kanat-Alexander Myk Melez Josh "timeless" Soref Olav Vitters Adam Merrifield * The Bugzilla Project would like to express special thanks to Frédéric. He worked many, many volunteer hours to fix many of the issues above, and is largely responsible for most of these issues being fixed. They would not have been fixed without him. General information about the Bugzilla bug-tracking system can be found at: https://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. https://www.bugzilla.org/support/ has directions for accessing these forums.