[UNIX] Bugzilla Unauthorized Bug Modification And Information Disclosure Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 10/26/04

  • Next message: SecuriTeam: "[UNIX] Kaffeine Media Player Content-Type Overflow"
    To: list@securiteam.com
    Date: 26 Oct 2004 17:42:57 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Bugzilla Unauthorized Bug Modification And Information Disclosure
    Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.bugzilla.org/> Bugzilla is a web-based bug (and enhancement)
    tracking engine built over MySQL. It's often used for distributed Open
    Source development, but is used by corporations (both internally and
    externally) as well.

    Three security bugs have been found in Bugzilla and are documented in this
    advisory. The vulnerabilities range from private information disclosure to
    unauthorized bug modifications possible by a third party.

    DETAILS

    Vulnerable Systems:
     * Bugzilla version 2.16 stable (bug modification only)
     * Bugzilla version 2.18 release candidates (RCs, information leaks)

    Immune Systems:
     * Bugzilla versions 2.16.7 and 2.18rc3

    Unauthorized Bug Modification
    It is possible to send a carefully crafted HTTP POST message to
    process_bug.cgi which will remove keywords from a bug even if you don't
    have permissions to edit all bug fields (the "editbugs" permission). Such
    changes are reported in "bug changed" email notifications, so they are
    easily detected and reversed if someone abuses it.
    Reference:
     <https://bugzilla.mozilla.org/show_bug.cgi?id=252638>
    https://bugzilla.mozilla.org/show_bug.cgi?id=252638

    Private User Comments and Attachment Summaries Leak In XML Bug Export
    Exporting a bug to XML exposes user comments and attachment summaries
    which are marked as private to users who are not members of the group
    allowed to see private comments and attachments. XML export is not
    exposed in the user interface, but is available to anyone who knows the
    correct URL to invoke it. This only affects sites that use the
    'insidergroup' feature.
    Reference:
     <https://bugzilla.mozilla.org/show_bug.cgi?id=263780>
    https://bugzilla.mozilla.org/show_bug.cgi?id=263780

    Private Metadata Changes For Attachments Information Leak
    Changes to the metadata (filename, description, mime type, review flags)
    on attachments which were flagged as private get displayed to users who
    are not members of the group allowed to see private attachments when
    viewing the bug activity log and when receiving bug change notification
    mails. This only affects sites that use the 'insidergroup' feature.
    References:
     <https://bugzilla.mozilla.org/show_bug.cgi?id=250605>
    https://bugzilla.mozilla.org/show_bug.cgi?id=250605
     <https://bugzilla.mozilla.org/show_bug.cgi?id=253544>
    https://bugzilla.mozilla.org/show_bug.cgi?id=253544

    Patch Availability:
    Fixes for all security bugs mentioned in this advisory are included in the
    2.16.7 and 2.18rc3 releases, and in the 2.19.1 development snapshot.
    Upgrading to these releases will protect installations from possible
    exploits of these issues.

    Full release downloads, patches to upgrade Bugzilla to 2.16.7 from
    previous 2.16.x versions, and CVS upgrade instructions are available at:
     <http://www.bugzilla.org/download/> http://www.bugzilla.org/download/

    Specific patches for each of the individual issues can be found on the
    corresponding bug reports for each issue, at the URL given in the
    reference for that issue in the list above.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:justdave@bugzilla.org> David
    Miller.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Kaffeine Media Player Content-Type Overflow"

    Relevant Pages

    • Risks Digest 27.76
      ... UMD security breach exposes personal info of students, faculty, staff ... Gox Shakes Bitcoin World - NYTimes.com ... On the Suspicious Timing of iOS's SSL Vulnerability (John Gruber via ... Subject: iPhone's Critical Security Bug: a Single Bad `Goto' ...
      (comp.risks)
    • Risks Digest 24.91
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's bug attack ... Security company e-mail undercuts user education ...
      (comp.risks)
    • Exim 3.34 and lower.
      ... Its a good time to announce that 2xs security LTD. decided to ... GDB is free software, covered by the GNU General Public License, and you ... will research and fix this bug. ... > the end of the string, reading garbage, causing a segfault, whatever. ...
      (Vuln-Dev)
    • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
      ... In my book, maybe only in mine, a software bug is security relevant ... or indirect control of a another entity (i.e attacker). ... simply because computers have limited resources. ...
      (Full-Disclosure)
    • Re: [Lit.] Buffer overruns - LONG
      ... effects of security bugs on the intended functionof the ... then I agree that techniques for reducing the impact of a bug ... overrun bug (its hazard) depends on the intended function of the ...
      (sci.crypt)