[UNIX] Two Bugzilla Information Disclosure Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 09/19/05
- Previous message: SecuriTeam: "[UNIX] vBulletin Information Disclosure (backup.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Sep 2005 11:06:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Two Bugzilla Information Disclosure Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.bugzilla.org/> Bugzilla - "Open-source bug tracking software,
with a web-based interface. Written in Perl, with MySQL database
back-end."
Bugzilla Security Advisory reveals two information leaking issues that
have recently been discovered and fixed in Bugzilla.
DETAILS
Vulnerable Systems:
* Bugzilla versions 2.17.1 - 2.18.1, 2.19.1 - 2.19.3
Immune Systems:
* Bugzilla version 2.18.2
Any user can change a flag on any bug: (Versions: 2.17.1 - 2.18.1, 2.19.1
- 2.19.3)
Any user can change any flag on any bug, even if they don't have access to
that bug, or even if they can't normally make bug changes. This also
allows them to expose the summary of a bug. By manually modifying a link
to process_bug.cgi, it is possible to change a flag on a bug that you do
not have access to, because Bugzilla does not validate that the flag you
are attempting to change is associated with the bug that you are
attempting to change. If the attacker makes a flag change which causes the
attacker to be emailed, the attacker will see the summary of the bug in
that email. If you are using the request_group or grant_group features of
2.19, the attacker will be prevented from exploiting this security hole if
they do not have permission to change the flag in the fashion that they
are changing it.
Reference:
<https://bugzilla.mozilla.org/show_bug.cgi?id=293159>
https://bugzilla.mozilla.org/show_bug.cgi?id=293159
Summaries of private bugs are exposed: (Versions:2.17.1 and above)
Bugs are inserted into the database before they are marked as private, in
Bugzilla code. Thus, MySQL replication can lag in between the time that
the bug is inserted and when it is marked as private (usually less than a
second). If replication lags at this point, the bug summary will be
accessible to all users until replication catches up. Also, on a very slow
machine, there may be a pause longer than a second that allows users to
see the title of the newly-filed bug.
Reference:
<https://bugzilla.mozilla.org/show_bug.cgi?id=292544>
https://bugzilla.mozilla.org/show_bug.cgi?id=292544
Patch Availability:
All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.18.2.
<http://www.bugzilla.org/download.html>
http://www.bugzilla.org/download.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:mkanat@bugzilla.org> Max
Kanat-Alexander.
The original article can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=293159>
https://bugzilla.mozilla.org/show_bug.cgi?id=293159
The original article can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=292544>
https://bugzilla.mozilla.org/show_bug.cgi?id=292544
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] vBulletin Information Disclosure (backup.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Bugzilla Patch Available for the XSS and Insecure Temporary Filenames Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... All Bugzilla installations
are advised to upgrade to the latest stable ... Bugzilla output shown to end-users is generated
via HTML templates. ... manner as part of a bug summary. ... (Securiteam) - [UNIX] Bugzilla Multiple Vulnerabilities (Unauthorized Bug Change, Information Disclosure)
... Get your security news from a reliable source. ... Lack of proper privileges
checking in Bugzilla, ... Unauthorized Bug Change: ... Any user can change
any flag on any bug, even if they don't have access to ... (Securiteam) - [BUGZILLA] Security Advisory - remote database password disclosure
... Bugzilla Security Advisory ... major (remote database password disclosure, bug
186383) ... All Bugzilla installations are advised to upgrade to the latest versions ...
(Bugtraq) - [ GLSA 200507-12 ] Bugzilla: Unauthorized access and information disclosure
... Bugzilla is a web-based bug-tracking system used by many projects. ... Bugzilla
allows any user to modify the flags of any bug ... Bugzilla Security Advisory ...
(Bugtraq) - Risks Digest 24.91
... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's
bug attack ... Security company e-mail undercuts user education ... (comp.risks)
