Date: 13 Jul 2004 11:48:52 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Multiple Vulnerabilities In Bugzilla (DB Password, Privilege Escalation, CSS, SQL Injection)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities In Bugzilla (DB Password, Privilege Escalation,
CSS, SQL Injection)
------------------------------------------------------------------------
SUMMARY
Bugzilla is "a Web-based bug-tracking system, used by a large number of
software projects".
This advisory covers security bugs that have recently been discovered and
fixed in the Bugzilla code: In the stable 2.16 releases, one instance of
arbitrary SQL injection exploitable only by a privileged user, several
instances of insufficient data validation and/or escaping, and two
instances of unprivileged access to names of restricted products. The
Bugzilla project knows of no occasion where any of these vulnerabilities
have been exploited.
DETAILS
Vulnerable Systems:
* Bugzilla version 2.16.5 and prior
* Bugzilla Development version 2.18rc1 and prior
Immune Systems:
* Bugzilla version 2.16.6
Database Password Compromise
Versions:
2.17.1 through 2.17.7 (2.16-based releases are not affected)
If the SQL server is halted but the web server is left running, older
versions of DBI display an error message to the remote user that contains
the database password. While a properly configured database would still
only be accessible by a local user using that password, all installations
are advised to change the password after upgrading.
Reference: <http://bugzilla.mozilla.org/show_bug.cgi?id=227191>;
http://bugzilla.mozilla.org/show_bug.cgi?id=227191
Privilege Escalation
Versions:
2.17.1 through 2.17.7 (2.16-based releases are not affected)
A user with privileges to grant membership to one or more individual
groups (i.e. usually an administrator) can trick the administrative
controls into granting membership in groups other than the ones he has
privileges for.
Reference: <http://bugzilla.mozilla.org/show_bug.cgi?id=233486>;
http://bugzilla.mozilla.org/show_bug.cgi?id=233486
Information Leak
Versions: All versions prior to 2.16.6 and 2.18rc1
If Bugzilla is configured to hide entire products from some users, both
duplicates.cgi and the form for mass-editing a list of bugs in buglist.cgi
can disclose the names of those hidden products to such users.
References: <http://bugzilla.mozilla.org/show_bug.cgi?id=234825>;
http://bugzilla.mozilla.org/show_bug.cgi?id=234825 and
<http://bugzilla.mozilla.org/show_bug.cgi?id=234855>;
http://bugzilla.mozilla.org/show_bug.cgi?id=234855
Cross-Site Scripting vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
Several administration CGIs echo invalid data back to the user without
escaping it.
Reference: <http://bugzilla.mozilla.org/show_bug.cgi?id=235265>;
http://bugzilla.mozilla.org/show_bug.cgi?id=235265
User Password Embedded in URL
Versions: 2.17.5 through 2.17.7 (2.16-based releases are not affected)
The user's password can be embedded as part of an image URL, and thus
visible in the web server logs, if the user is prompted to log in while
attempting to view a chart.
Reference: <http://bugzilla.mozilla.org/show_bug.cgi?id=235510>;
http://bugzilla.mozilla.org/show_bug.cgi?id=235510
Remote SQL injection vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
A user with privileges to grant membership to any group (i.e. usually an
administrator) can trick editusers.cgi into executing arbitrary SQL.
Reference: <http://bugzilla.mozilla.org/show_bug.cgi?id=244272>;
http://bugzilla.mozilla.org/show_bug.cgi?id=244272
Vulnerability Solutions
The fixes for all of the security bugs mentioned in this advisory are
included in the 2.16.6 and 2.18rc1 releases. Upgrading to these releases
will protect installations from possible exploits of these issues.
Full release downloads, patches to upgrade Bugzilla to 2.16.6 from
previous 2.16.x versions, and CVS upgrade instructions are available at:
<http://www.bugzilla.org/download.html>;
http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
The Bugzilla team wishes to thank the following people for their
assistance in locating, advising us of, and assisting us to fix these
situations:
Vlad Dascalu
Laran Evans
Jouni Heikniemi
Felix Hieronymi
Byron Jones
Gervase Markham
Dave Miller
Gabriel Millerd
Joel Peshkin
Christian Reis
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> David
Miller.
The original article can be found at:
<http://www.bugzilla.org/security/2.16.5/>;
http://www.bugzilla.org/security/2.16.5/
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
