3.2.9, 3.4.9, 3.6.3, and and 4.0rc1 Security Advisory

Monday, Jan 24th, 2011
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:

* A weakness in Bugzilla could allow a user to gain unauthorized access
to another Bugzilla account.

* A weakness in the Perl CGI.pm module allows injecting HTTP headers
and content to users via several pages in Bugzilla.

* The new user autocomplete functionality in Bugzilla 4.0 is vulnerable
to a cross-site scripting attack.

* The new automatic duplicate detection functionality in Bugzilla 4.0
is vulnerable to a cross-site scripting attack.

* If you put a harmful "javascript:" or "data:" URL into Bugzilla's
"URL" field, then there are multiple situations in which Bugzilla
will unintentionally make that link clickable.

* Various pages lack protection against cross-site request forgeries.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Account Compromise
Versions:    2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: It was possible for a user to gain unauthorized access to
any Bugzilla account in a very short amount of time (short
enough that the attack is highly effective). This is a
critical vulnerability that should be patched immediately
by all Bugzilla installations.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621591
https://bugzilla.mozilla.org/show_bug.cgi?id=619594
CVE Number:  CVE-2010-4568

Class:       HTTP Response Splitting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: By inserting particular strings into certain URLs, it was
possible to inject both headers and content to any
browser.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
https://bugzilla.mozilla.org/show_bug.cgi?id=621572
http://avatraxiom.livejournal.com/104105.html
http://cwe.mitre.org/data/definitions/113.html
CVE Number:  CVE-2010-2761, CVE-2010-4411, CVE-2010-4572

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
autocomplete mechanism for all fields where a username
is entered. This mechanism was vulnerable to a cross-site
scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619637
CVE Number:  CVE-2010-4569

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0rc1
Fixed In:    4.0rc2
Description: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the
bug entry page for automatically detecting if the bug
you are filing is a duplicate of another existing bug.
This mechanism was vulnerable to a cross-site scripting
attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619648
CVE Number:  CVE-2010-4570

Class:       Cross-Site Scripting
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Bugzilla has a "URL" field that can contain several types
of URL, including "javascript:" and "data:" URLs. However,
it does not make "javascript:" and "data:" URLs into
clickable links, to protect against cross-site scripting
attacks or other attacks. It was possible to bypass this
protection by adding spaces into the URL in places that
Bugzilla did not expect them. Also, "javascript:" and 
"data:" links were *always- summary: |-
shown as clickable to
logged-out users.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619588
https://bugzilla.mozilla.org/show_bug.cgi?id=628034
CVE Number:  CVE-2010-4567, CVE-2011-0048

Class:       Cross-Site Request Forgery
Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
Description: Various pages were vulnerable to Cross-Site Request 
Forgery attacks. Most of these issues are not as serious
as previous CSRF vulnerabilities. Some of these issues
were only addressed on more recent branches of Bugzilla
and not fixed in earlier branches, in order to avoid
changing behavior that external applications may depend
on. The links below in "References" describe which issues
were fixed on which branches.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
https://bugzilla.mozilla.org/show_bug.cgi?id=621105
https://bugzilla.mozilla.org/show_bug.cgi?id=621107
https://bugzilla.mozilla.org/show_bug.cgi?id=621108
https://bugzilla.mozilla.org/show_bug.cgi?id=621109
https://bugzilla.mozilla.org/show_bug.cgi?id=621110
CVE Number:  CVE-2011-0046


Vulnerability Solutions
=======================

The fix for this issue is included in the 
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of this issue.

If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issue at the
"References" URL.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:


Issue 1 Reporter: Max Kanat-Alexander
Issue 1 Fixed by: Max Kanat-Alexander


Issue 2 Reporter: Frédéric Buclin, Michal Zalewski
Issue 2 Fixed by: Reed Loden, Frédéric Buclin, Max Kanat-Alexander


Issue 3 Reporter: Reed Loden
Issue 3 Fixed by: Reed Loden, Max Kanat-Alexander, Guy Pyrzak, Frédéric Buclin


Issue 4 Reporter: Reed Loden
Issue 4 Fixed by: Guy Pyrzak, Max Kanat-Alexander, Frédéric Buclin


Issue 5 Reporter: Alex Miller
Issue 5 Fixed by: Frédéric Buclin


Issue 6 Reporter: José A. Vázquez, Reed Loden
Issue 6 Fixed by: David Lawrence, Frédéric Buclin, Willem Pinckaers

General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing these
forums.