3.2, 3.0.6, 2.22.6, and 3.3.1 Security Advisory

Monday, Feb 2nd, 2009

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* It was possible for users to upload a malicious attachment to
  that would run in the context of Bugzilla's domain (thus 
  circumventing cross-site request protections in browsers).

* Bug updating was vulnerable to a cross-site request forgery.
  Note that this issue was only fixed for 3.2.1 and 3.3.2 even though
  all versions of Bugzilla are affected (see below for an explanation).

* Keywords, unused flag types, and saved searches could be deleted via
  cross-site request forgery. Also, a user's preferences could be
  changed via cross-site request forgery.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Abuse of Functionality (Attachments)
Affected:    Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: Bugzilla users can upload HTML or JavaScript attachments
             that are then viewed by other users in their web browsers.
             A malicious user could trick another Bugzilla user into
             viewing a malicious attachment that could then operate
             as that user. Since Bugzilla would view attachments
             using the same domain name as the rest of the application,
             such malicious attachments could access the cookies of
             the user and perform other activities usually restricted
             by the cross-site request protections of web browsers.
             
             Bugzilla now provides a two-fold solution to this problem:
             
             Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent
             users from viewing attachments in their browsers, by
             default. There is a new parameter named
             "allow_attachment_display" that administrators can enable
             to override this protection.
             
             Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1,
             and 3.3.2 allow administrators to specify that attachments
             should be viewed using a different domain. This increases
             safety for the end user by enabling the browser's
             cross-domain request protections.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=38862
             https://bugzilla.mozilla.org/show_bug.cgi?id=472206


Class:       Cross-Site Request Forgery
Affected:    Every version before 3.2.1 or 3.3.2
Fixed In:    3.2.1, 3.3.2
Description: Bug updating was vulnerable to a cross-site request
             forgery, because it did not validate that calls to
             process_bug.cgi actually came from Bugzilla.
             
             Bugzilla now generates a token that is validated when
             process_bug.cgi is called. This may break automated
             scripts that call process_bug.cgi directly, unless they
             first load show_bug.cgi to get a valid token.
             
             Unfortunately, a fix for this issue was only possible for
             3.2.1 and 3.3.2. Fixing it on earlier branches would have
             broken Bugzilla's mid-air collision functionality.
             
             It should be noted that this issue actually was not a
             secret--it has been public knowledge for quite some time.
             It is only included in this security advisory to note that
             a fix is now available.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=26257


Class:       Cross-Site Request Forgery
Affected:    All Versions (for keywords and user preferences), 2.17 and higher (for flags), 3.0 and higher (for saved searches)
Fixed In:    2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: When deleting saved searches, keywords, or unused 
             (never set on any bug or attachment) flags, or when a user
             updated their preferences, Bugzilla did not properly 
             validate that the request came from Bugzilla. So, it was
             possible to trick a user into click on a link that would
             perform these actions without their consent.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=466692
             https://bugzilla.mozilla.org/show_bug.cgi?id=466748
             https://bugzilla.mozilla.org/show_bug.cgi?id=472362


Vulnerability Solutions
=======================

The fix for these issues is included in the 
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issues at the
"References" URL.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:


Issue 1 Reporter: Jesse Ruderman, Max Kanat-Alexander
Issue 1 Fixed by: Max Kanat-Alexander, Frédéric Buclin


Issue 2 Reporter: Terry Weissman
Issue 2 Fixed by: Jesse Ruderman, Frédéric Buclin, Teemu Mannermaa


Issue 3 Reporter: Stephen Lee, Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, Max Kanat-Alexander

General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing this forum.