2.18.5, 2.20.2, 2.22, and 2.23.2 Security Advisory

Sunday, Oct 15th, 2006
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:

* Sometimes the information put into the <h1> and <h2> tags in Bugzilla
was not properly escaped, leading to a possible XSS vulnerability.

* Bugzilla administrators were allowed to put raw, unfiltered HTML into
many fields in Bugzilla, leading to a possible XSS vulnerability. 
Now, the HTML allowed in those fields is limited.

* attachment.cgi could leak the names of private attachments

* The "deadline" field was visible in the XML format of a bug, even to
users who were not a member of the "timetrackinggroup."

* A malicious user could pass a URL to an admin, and make the admin
delete or change something that he had not intended to delete or 
change.

* It is possible to inject arbitrary HTML into the showdependencygraph.cgi
page, allowing for a cross-site scripting attack.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross-Site Scripting
Versions:    2.15 and above

Description: Bugzilla sometimes displays admin-provided data in page 
headers (meaning the <h1> and <h2> HTML tags of a page).
Sometimes, this data was not properly escaped, leading to 
the possibility of a Cross-Site Scripting vulnerability.
For the most part, this was only exploitable by 
administrators, and so is not of critical severity.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=330555


Class:       Cross-Site Scripting
Versions:    2.0 and above

Description: Bugzilla allows administrators to put HTML in the
descriptions of products, components, and other items. It
also allows HTML in certain other fields. Before the
most recent releases of Bugzilla, this HTML was completely
unfiltered. These fields are only editable by
certain users, who are specified by the admin. This makes
this vulnerability less severe. However, these users could
use this exploit to perform Cross-Site Scripting attacks
on nearly all users of a particular Bugzilla (including
users with higher permission levels than themselves).

Bugzilla now allows only certain HTML tags in those fields,
protecting users from a Cross-Site Scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=206037


Class:       Information Leak
Versions:    2.17 and above

Description: When viewing an attachment in "Diff" mode, a user who is
not in the "insidergroup" (the group required to view
private attachments) can read the one-line descriptions
of all attachments, even "private" attachments.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=346086


Class:       Information Leak
Versions:    2.19.2 and above

Description: Bugzilla has a "deadline" field, which is usually only
visible to people in the "timetrackinggroup" group.
However, it was exposed in the XML format of a bug to all
users.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=346564


Class:       Security Enhancement
Versions:    2.0 and above

Description: Bugzilla updates, deletes, and creates data through a
web interface. Administrators update things like user
accounts through this interface. All of these pages accept
URL variables in both GET and POST formats.

A malicious user could craft a URL that would edit a user
(or any other admin-protected item), and then using a
service like TinyURL, could obscure the URL so that an
administrator couldn't tell what it was. Then, getting the
administrator to click on that URL, the action would be
performed, against the administrator's will.

This is now prevented. Bugzilla will only accept changes
on administrative pages if they come from Bugzilla's own
forms. That is, you have to use the form to make changes--
you now cannot just click a URL and accidentally make an
administrative change to Bugzilla.

Although technically this affects all versions of Bugzilla,
it has only been fixed on our most recent release (2.22.1
and our latest development snapshot, 2.23.3), because the
fix was too invasive to backport further. Administrators
of previous versions of Bugzilla should only click on URLs
from users that they fully trust.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=281181


Class:       Cross-Site Scripting
Versions:    2.15 and above

Description: showdependencygraph.cgi is a script that allows you to display
a graph of how bugs are related. There is a cross-site
scripting vulnerability in this script that allows for arbitrary
HTML injection. The user would have to follow a malicious URL
in order to trigger the attack--it is not possible for another
user to otherwise inject HTML into the page for the current
user.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=355728



Vulnerability Solutions
=======================

The fix for this issue is included in the 
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issue at the
"References" URL.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:


Issue 1 Reporter: Frédéric Buclin
Issue 1 Fixed by: Frédéric Buclin, Gavin Shelley, Max Kanat-Alexander, Dave Miller


Issue 2 Reporter: Gervase Markham
Issue 2 Fixed by: Gavin Shelley, Dave Miller, Gervase Markham, Frédéric Buclin


Issue 3 Reporter: Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, Dave Miller, Gervase Markham, Myk Melez


Issue 4 Reporter: Josh "timeless" Soref
Issue 4 Fixed by: Frédéric Buclin, Max Kanat-Alexander, Olav Vitters


Issue 5 Reporter: Gavin Shelley
Issue 5 Fixed by: Frédéric Buclin, Dave Miller, Max Kanat-Alexander


Issue 6 Reporter: Max Kanat-Alexander
Issue 6 Fixed by: Max Kanat-Alexander, Frédéric Buclin, Dave Miller

General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing these
forums.