[UNIX] Bugzilla Multiple Vulnerabilities (Unauthorized Bug Change, Information Disclosure)

• Previous message: SecuriTeam: "[TOOL] SpiderFoot - Domain Foot-Printing Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Aug 2005 18:53:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Bugzilla Multiple Vulnerabilities (Unauthorized Bug Change, Information
Disclosure)
------------------------------------------------------------------------

SUMMARY

 <http://www.bugzilla.org> Bugzilla is "server software designed to help
you manage software development".

Lack of proper privileges checking in Bugzilla, allows attackers to expose
or hide bugs, change their status, and/or obtain bug information before
changing their status to private.

DETAILS

Vulnerable Systems:
 * Bugzilla development snapshots version 2.19.3
 * Bugzilla version 2.18.1
 * Bugzilla version 2.17.1

Immune Systems:
 * Bugzilla version 2.18.2
 * Bugzilla version 2.20rc1

Unauthorized Bug Change:
Any user can change any flag on any bug, even if they don't have access to
that bug, or even if they can't normally make bug changes. This also
allows them to expose the summary of a bug.

By manually modifying a link to process_bug.cgi, it is possible to change
a flag on a bug that you do not have access to, because Bugzilla does not
validate that the flag you are attempting to change is associated with the
bug that you are attempting to change.

If the attacker makes a flag change which causes the attacker to be
emailed, the attacker will see the summary of the bug in that email.

If you are using the request_group or grant_group features of 2.19, the
attacker will be prevented from exploiting this security hole if they do
not have permission to change the flag in the fashion that they are
changing it.

Information Disclosure:
Bugs are inserted into the database before they are marked as private, in
Bugzilla code. Thus, MySQL replication can lag in between the time that
the bug is inserted and when it is marked as private (usually less than a
second). If replication lags at this point, the bug summary will be
accessible to all users until replication catches up.

Also, on a very slow machine, there may be a pause longer than a second
that allows users to see the title of the newly-filed bug.

Vendor Status:
The fixes for all of the security bugs mentioned in this advisory are
included in the 2.18.2 and 2.20rc1 releases. Upgrading to these releases
will protect installations from possible exploits of these issues.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
<http://www.bugzilla.org/download.html>
http://www.bugzilla.org/download.html.

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mkanat@bugzilla.org> mkanat.
Bug reports about the issues can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=293159>
https://bugzilla.mozilla.org/show_bug.cgi?id=293159,
 <https://bugzilla.mozilla.org/show_bug.cgi?id=292544>
https://bugzilla.mozilla.org/show_bug.cgi?id=292544

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] SpiderFoot - Domain Foot-Printing Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Two Bugzilla Information Disclosure Vulnerabilities ... Get your security news from a reliable source. ... have recently been discovered and fixed in Bugzilla. ... Any user can change any flag on any bug, even if they don't have access to ... (Securiteam) [UNIX] Bugzilla Patch Available for the XSS and Insecure Temporary Filenames Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... All Bugzilla installations are advised to upgrade to the latest stable ... Bugzilla output shown to end-users is generated via HTML templates. ... manner as part of a bug summary. ... (Securiteam) [BUGZILLA] Security Advisory - remote database password disclosure ... Bugzilla Security Advisory ... major (remote database password disclosure, bug 186383) ... All Bugzilla installations are advised to upgrade to the latest versions ... (Bugtraq) Security Advisory for Bugzilla 3.0.3, 3.1.3, 2.22.3, and 2.20.5 ... This advisory covers three security issues that have recently been ... fixed in the Bugzilla code: ... Users without the "canconfirm" privilege could enter a bug as NEW ... All affected installations are encouraged to upgrade as soon as possible. ... (Bugtraq) Risks Digest 24.91 ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's bug attack ... Security company e-mail undercuts user education ... (comp.risks)