Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21

mkanat_at_bugzilla.org
Date: 10/01/05

  • Next message: Lachniet, Mark: "RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides"
    Date: 1 Oct 2005 01:18:45 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Summary
    =======

    Bugzilla is a Web-based bug-tracking system, used by a large number of
    software projects.

    This advisory covers two security bugs that have recently been
    discovered and fixed in the Bugzilla code:

    + config.cgi exposes information to users who aren't logged in, even
      when "requirelogin" is turned on in Bugzilla.

    + It is possible to bypass the "user visibility groups" restrictions
      if user-matching is turned on in "substring" mode.

    All Bugzilla installations are advised to upgrade to the latest stable
    version of Bugzilla, 2.20.

    Development snapshots of 2.21 before 2.21.1 are also vulnerable. If you are
    using a development snapshot, you should upgrade to 2.21.1, use CVS to update,
    or apply the patches from the specific bugs listed below.

    None of these vulnerabilities affect the old Bugzilla 2.16 branch.

    Vulnerability Details
    =====================

    Issue 1
    -------
    Class: Information Leak
    Versions: 2.18rc1 - 2.18.3, 2.19 - 2.20rc2, 2.21
    Description: config.cgi gives JavaScript and RDF information about Bugzilla
                 to third-party clients, including a list of products in the
                 Bugzilla installation. The "requirelogin" parameter requires
                 that all people be logged into Bugzilla before seeing any data,
                 as a security measure.
                 In affected versions, config.cgi is always accessible, and
                 always contains information to non-logged-in users, even when
                 "requirelogin" is turned on, possibly exposing product names
                 that administrators expected to be confidential.
    Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=308256

    Issue 2
    -------
    Class: Information Leak
    Versions: 2.19.1 - 2.20rc2, 2.21
    Description: Bugzilla contains features to prevent users from "seeing" other
                 users, enabled by the "usevisibilitygroups" parameter. Bugzilla
                 also contains a feature called "user matching," which enables
                 users to type in part of a username and get back a list of
                 possible matches.
                 If user matching is turned on and is in "substring" mode,
                 all matching users will be returned to a query, regardless
                 of the visibility groups settings, exposing users who should
                 be invisible.
    Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=308662

    Vulnerability Solutions
    =======================

    The fixes for all of the security bugs mentioned in this advisory
    are included in the 2.18.4, 2.20, and 2.21.1 releases. Upgrading
    to these releases will protect installations from possible exploits
    of these issues.

    Full release downloads, patches to upgrade Bugzilla from previous
    versions, and CVS upgrade instructions are available at:
      http://www.bugzilla.org/download/

    Specific patches for each of the individual issues can be found on the
    corresponding bug reports for each issue, at the URL given in the
    reference for that issue in the list above.

    Credits
    =======

    The Bugzilla team wish to thank the following people for their
    assistance in locating, advising us of, and assisting us to fix
    these situations:

    Frédéric Buclin
    Joel Peshkin
    Myk Melez
    Max Kanat-Alexander

    General information about the Bugzilla bug-tracking system can be found
    at http://www.bugzilla.org/

    Comments and follow-ups can be directed to the
    netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
    mailing list; http://www.bugzilla.org/support/ has directions for
    accessing these forums.


  • Next message: Lachniet, Mark: "RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides"

    Relevant Pages

    • Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13
      ... Bugzilla is a Web-based bug-tracking system used by a large number of ... users to create an account. ... A CSRF vulnerability in post_bug.cgi and in attachment.cgi could ... All affected installations are encouraged to upgrade as soon as ...
      (Bugtraq)
    • Security advisory for Bugzilla 4.2 and 4.0.5
      ... Bugzilla is a Web-based bug-tracking system used by a large number of ... A CSRF vulnerability in the implementation of the XML-RPC API ... All affected installations are encouraged to upgrade as soon as ...
      (Bugtraq)
    • Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3
      ... Bugzilla is a Web-based bug-tracking system used by a large number of ... The following security issues have been discovered ... a serious Cross-Site Scripting vulnerability. ... All affected installations are encouraged to upgrade as soon as ...
      (Bugtraq)
    • Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14
      ... Bugzilla is a Web-based bug-tracking system used by a large number of ... When a user creates a new account, ... A CSRF vulnerability in the implementation of the JSON-RPC API ... All affected installations are encouraged to upgrade as soon as ...
      (Bugtraq)
    • [UNIX] Remote Database Password Disclosure in Bugzilla
      ... Beyond Security would like to welcome Tiscali World Online ... All Bugzilla installations are advised to upgrade to the latest versions ... The fixes for both security bugs contained in this release, ...
      (Securiteam)