[UNIX] Bugzilla Patch Available for the XSS and Insecure Temporary Filenames Vulnerabilities

support_at_securiteam.com
Date: 04/28/03

  • Next message: support_at_securiteam.com: "[UNIX] PY-Members Vulnerable to SQL Injection" 
    To: list@securiteam.com
Date: 28 Apr 2003 16:46:49 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Bugzilla Patch Available for the XSS and Insecure Temporary Filenames
    Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    All Bugzilla installations are advised to upgrade to the latest stable
    version of Bugzilla, 2.16.3, which was released today.

    Development snapshots prior to version 2.17.4 are also affected, so if you
    are using a development snapshot, you should obtain a newer one (2.17.4)
    or use CVS to update.

    This advisory covers multiple situations where un-escaped raw HTML
    submitted by users could be echoed back to the user and a situation where
    temporary files were not written to verified-unique filenames, thus
    exposing them to potential symblink attacks by local users with sufficient
    permissions.

    DETAILS

    Vulnerable systems:
     * Bugzilla version 2.16.2 and prior
     * Bugzilla version 2.17.4 (development)

    Immune systems:
     * Bugzilla version 2.16.3
     * Bugzilla version 2.17.4 (development, CVS updated as of the 25th of
    April)

    The following three security issues were fixed in versions 2.16.3 and
    2.17.4.

    Multiple Cross-Site Scripting Vulnerabilities in Default Templates
    Bugzilla output shown to end-users is generated via HTML templates. One of
    the core Bugzilla contributors recently contributed an automated tool
    which detects failure-to-filter situations in the HTML templates -
    situations where untrusted data was not properly filtered for HTML
    metacharacters prior to outputting to end-users, allowing an attacker to
    insert a script into the output by submitting data to the server in a
    specially formatted manner.

    Several exploitable instances were discovered in the default English
    templates that are shipped with both 2.16.2 and 2.17.3 and have been
    closed with this release. We have received confirmation from the
    maintainers of the German and Russian localized templates that corrected
    versions of those templates sets should be available within 24 hours of
    this announcement for the versions they support. For corrected versions of
    other localizations, please consult the localization's maintainer.

    Bugzilla's output did not use HTML templates prior to version 2.16.

    Cross-Site Scripting vulnerability in local dependency graphs
    Bugzilla contains a feature that allows users to generate visual graphs of
    the dependency relationships between bugs. In the past, this was done by
    using a remote server running the "Webdot" software. In version 2.16, a
    feature was introduced which provided the capability to use a locally
    installed copy of the GraphViz suite to generate the graph files directly
    on the Bugzilla server instead of using a remote server. This option is
    not enabled by default.

    Bugzilla does not properly escape the bug summaries placed in the ALT and
    NAME attributes to the AREA tags in the client-side image map that is
    generated to go with the visual graph. This means an attacker could place
    scripts in a graph by including a script in a specifically formatted
    manner as part of a bug summary.

    You are vulnerable if the "webdotbase" configuration parameter contains a
    local pathname to an installation of "dot".

    This bug is related to a feature added to Bugzilla in version 2.16, and
    thus does not affect prior versions.

    Insecure Handling of Temporary Filenames
    There are multiple places where Bugzilla creates temporary files in world-
    or group-writable directories without verifying that the filename is
    unused. A user with local access to the server could potentially create a
    properly named symblink within those directories pointing at a file that
    the web server had access to, thus causing Bugzilla to overwrite that
    file.

    These instances have been fixed in both 2.16.3 and 2.17.4 and affect all
    prior versions of Bugzilla.

    Vulnerability Solutions:
    The fixes for all of the security bugs mentioned in this advisory are
    included in the 2.16.3 and 2.17.4 releases. Upgrading to these releases
    will protect installations against exploitations of these security bugs.

    Patches to upgrade Bugzilla to 2.16.3 are available at:
    <http://ftp.mozilla.org/pub/webtools/>
    http://ftp.mozilla.org/pub/webtools/ (these patches are only valid for
    2.16.2, 2.16.1, and 2.16 users).

    Full release downloads and CVS upgrade instructions are available at:
    <http://www.bugzilla.org/download.html>
    http://www.bugzilla.org/download.html

    Links to the distribution sites of localized template sets can be found
    at: <http://www.bugzilla.org/download.html#localizations>
    http://www.bugzilla.org/download.html#localizations

    ADDITIONAL INFORMATION

    References:
    Complete bug reports and the specific patches for the security bugs
    covered herein may be obtained on the following bug reports:

    XSS in local dependency graphing:
    <http://bugzilla.mozilla.org/show_bug.cgi?id=192661>
    http://bugzilla.mozilla.org/show_bug.cgi?id=192661

    XSS failure to filter in default templates:
    <http://bugzilla.mozilla.org/show_bug.cgi?id=192677>
    http://bugzilla.mozilla.org/show_bug.cgi?id=192677

    Insecure handling of temporary filenames:
    <http://bugzilla.mozilla.org/show_bug.cgi?id=197153>
    http://bugzilla.mozilla.org/show_bug.cgi?id=197153

    General information about the Bugzilla bug-tracking system can be found at
    http://www.bugzilla.org/

    Comments and follow-ups can be directed to the
    netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
    list; <http://www.mozilla.org/community.html>
    http://www.mozilla.org/community.html has directions for accessing these
    forums.

    Credits:
    The Bugzilla team wish to thank the following people for their assistance
    in locating and advising us of these situations:

    Jouni Heikniemi - for finding the XSS in local dependency graphs

    Gervase Markham - for contributing the automated testing tool that located
    the XSS issues in the default template set

    Jonathan Schatz - for discovering the insecure temporary filename handling

    The information has been provided by <mailto:justdave@syndicomm.com>
    David Miller.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support_at_securiteam.com: "[UNIX] PY-Members Vulnerable to SQL Injection"

    Relevant Pages