99651 2003-04-25 17:23 /149 rader/ David Miller <justdave@syndicomm.com>
Importerad: 2003-04-25 17:23 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@bugzilla.org
Extern mottagare: mozilla-announce@mozilla.org
Extern mottagare: mozilla-webtools@mozilla.org
Mottagare: Bugtraq (import) <4639>
Ärende: [BUGZILLA] Security Advisory - XSS, insecure temporary filenames
------------------------------------------------------------
Bugzilla Security Advisory
April 24, 2003
Summary
=======
All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.3, which was released today.
Development snapshots prior to version 2.17.4 are also affected, so
if you are using a development snapshot, you should obtain a newer
one (2.17.4) or use CVS to update.
This advisory covers multiple situations where unescaped raw HTML
submitted by users could be echoed back to the user, and a situation
where temporary files were not written to verified-unique filenames,
thus exposing them to potential symlink attacks by local users with
sufficient permissions.
Vulnerability Details
=====================
The following three security issues were fixed in versions 2.16.3 and
2.17.4.
Multiple Cross-Site Scripting Vulnerabilities in Default Templates
------------------------------------------------------------------
Bugzilla output shown to end-users is generated via HTML templates.
One of the core Bugzilla contributors recently contributed an
automated tool which detects failure-to-filter situations in the HTML
templates - situations where untrusted data was not properly filtered
for HTML metacharacters prior to outputting to end-users, allowing an
attacker to insert a script into the output by submitting data to the
server in a specially formatted manner.
Several exploitable instances were discovered in the default English
templates that are shipped with both 2.16.2 and 2.17.3 and have been
closed with this release. We have received confirmation from the
maintainers of the German and Russian localized templates that
corrected versions of those templates sets should be available within
24 hours of this announcement for the versions they support. For
corrected versions of other localizations, please consult the
localization's maintainer.
Bugzilla's output did not use HTML templates prior to version 2.16.
(Bugzilla Bug 192677 / BugTraq ID 6868)
Cross-Site Scripting vulnerability in local dependency graphs
-------------------------------------------------------------
Bugzilla contains a feature which allows users to generate visual
graphs of the dependency relationships between bugs. In the past
this was done by using a remote server running the "Webdot" software.
In version 2.16, a feature was introduced which provided the
capability to use a locally-installed copy of the GraphViz suite to
generate the graph files directly on the Bugzilla server instead of
using a remote server. This option is not enabled by default.
Bugzilla does not properly escape the bug summaries placed in the ALT
and NAME attributes to the AREA tags in the client-side image map
which is generated to go with the visual graph. This means an
attacker could place scripts in a graph by including a script in a
specifically formatted manner as part of a bug summary.
You are vulnerable if the "webdotbase" configuration parameter
contains a local pathname to an installation of "dot".
This bug is related to a feature added to Bugzilla in version 2.16,
and thus does not affect prior versions.
(Bugzilla Bug 192661 / BugTraq ID 6861)
Insecure Handling of Temporary Filenames
----------------------------------------
There are multiple places where Bugzilla creates temporary files in
world- or group-writable directories without verifying that the
filename is unused. A user with local access to the server could
potentially create a properly-named symlink within those directories
pointing at a file which the webserver had access to, thus causing
Bugzilla to overwrite that file.
These instances have been fixed in both 2.16.3 and 2.17.4 and affect
all prior versions of Bugzilla.
(Bugzilla Bug 197153 / BugTraq ID 7412)
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory are
included in the 2.16.3 and 2.17.4 releases. Upgrading to these
releases will protect installations against exploitations of these
security bugs.
Patches to upgrade Bugzilla to 2.16.3 are available at:
http://ftp.mozilla.org/pub/webtools/
(these patches are only valid for 2.16.2, 2.16.1, and 2.16 users).
Full release downloads and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Links to the distribution sites of localized template sets can be found at:
http://www.bugzilla.org/download.html#localizations
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating and advising us of these situations:
Jouni Heikniemi - for finding the XSS in local dependency graphs
Gervase Markham - for contributing the automated testing tool which
located the XSS issues in the default template set Jonathan
Schatz - for discovering the insecure temporary filename handling
References
==========
Complete bug reports and the specific patches for the security bugs
covered herein may be obtained on the following bug reports:
XSS in local dependency graphing:
=> http://bugzilla.mozilla.org/show_bug.cgi?id=192661
XSS failure to filter in default templates:
=> http://bugzilla.mozilla.org/show_bug.cgi?id=192677
Insecure handling of temporary filenames
=> http://bugzilla.mozilla.org/show_bug.cgi?id=197153
General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.mozilla.org/community.html has directions
for accessing these forums.
-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
(99651) /David Miller <justdave@syndicomm.com>/(Ombruten)