3.2, 3.0.6, 2.22.6, and 3.3.1 Security Advisory

Monday, Feb 2nd, 2009
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:

* It was possible for users to upload a malicious attachment to
that would run in the context of Bugzilla's domain (thus 
circumventing cross-site request protections in browsers).

* Bug updating was vulnerable to a cross-site request forgery.
Note that this issue was only fixed for 3.2.1 and 3.3.2 even though
all versions of Bugzilla are affected (see below for an explanation).

* Keywords, unused flag types, and saved searches could be deleted via
cross-site request forgery. Also, a user's preferences could be
changed via cross-site request forgery.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Abuse of Functionality (Attachments)
Versions:    Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: Bugzilla users can upload HTML or JavaScript attachments
that are then viewed by other users in their web browsers.
A malicious user could trick another Bugzilla user into
viewing a malicious attachment that could then operate
as that user. Since Bugzilla would view attachments
using the same domain name as the rest of the application,
such malicious attachments could access the cookies of
the user and perform other activities usually restricted
by the cross-site request protections of web browsers.

Bugzilla now provides a two-fold solution to this problem:

Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent
users from viewing attachments in their browsers, by
default. There is a new parameter named
"allow_attachment_display" that administrators can enable
to override this protection.

Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1,
and 3.3.2 allow administrators to specify that attachments
should be viewed using a different domain. This increases
safety for the end user by enabling the browser's
cross-domain request protections.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=38862
https://bugzilla.mozilla.org/show_bug.cgi?id=472206


Class:       Cross-Site Request Forgery
Versions:    Every version before 3.2.1 or 3.3.2
Fixed In:    3.2.1, 3.3.2
Description: Bug updating was vulnerable to a cross-site request
forgery, because it did not validate that calls to
process_bug.cgi actually came from Bugzilla.

Bugzilla now generates a token that is validated when
process_bug.cgi is called. This may break automated
scripts that call process_bug.cgi directly, unless they
first load show_bug.cgi to get a valid token.

Unfortunately, a fix for this issue was only possible for
3.2.1 and 3.3.2. Fixing it on earlier branches would have
broken Bugzilla's mid-air collision functionality.

It should be noted that this issue actually was not a
secret--it has been public knowledge for quite some time.
It is only included in this security advisory to note that
a fix is now available.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=26257


Class:       Cross-Site Request Forgery
Versions:    All Versions (for keywords and user preferences), 2.17 and higher (for flags), 3.0 and higher (for saved searches)
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: When deleting saved searches, keywords, or unused 
(never set on any bug or attachment) flags, or when a user
updated their preferences, Bugzilla did not properly 
validate that the request came from Bugzilla. So, it was
possible to trick a user into click on a link that would
perform these actions without their consent.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=466692
https://bugzilla.mozilla.org/show_bug.cgi?id=466748
https://bugzilla.mozilla.org/show_bug.cgi?id=472362



Vulnerability Solutions
=======================

The fix for this issue is included in the 
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issue at the
"References" URL.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:


Issue 1 Reporter: Jesse Ruderman, Max Kanat-Alexander
Issue 1 Fixed by: Max Kanat-Alexander, Frédéric Buclin


Issue 2 Reporter: Terry Weissman
Issue 2 Fixed by: Jesse Ruderman, Frédéric Buclin, Teemu Mannermaa


Issue 3 Reporter: Stephen Lee, Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, Max Kanat-Alexander

General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing these
forums.