Tutorial - Bugzilla vulnerabilities

Bugzilla vulnerabilities

Updated 5/6/03

Impact

Multiple vulnerabilities could allow remote account hijacking, viewing of restricted data, SQL injection, cross-site scripting, or command execution.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The actual severity level in this instance is indicated by the colored dot beside the link to this tutorial on the previous page.

Background

Bugzilla is an open source bug tracking system written in PERL.

The Problems

5/6/03
The following vulnerabilities affect Bugzilla 2.17 through 2.17.3, and versions prior to 2.16.3:

Cross-site scripting vulnerabilities in default templates
Cross-site scripting vulnerability in local dependency graphs
Insecure handling of temporary file names, leading to potential overwriting of arbitrary files by unauthorized local users

1/13/03
The following vulnerabilities affect Bugzilla 2.17 through 2.17.2, 2.16, 2.16.1, and versions prior to 2.14.5:

CAN 2003-0013 Insufficient protection for backups of the localconfig file which may be created by editors such as emacs or vi, allowing an attacker to gain access to the database password and other sensitive information.
CAN 2003-0012 The data collection script changes the permissions of the data/mining directory to be world-writable, potentially allowing a local attacker to modify or delete the collected data.

10/15/02
Bugzilla 2.16, 2.15, and versions prior to 2.14.4 are affected by additional vulnerabilities, including:

CAN 2002-1196 Granting of improper permissions when using usebuggroups and more than 47 groups
CAN 2002-1197 Command injection through the bugzilla_email_append.pl script
CAN 2002-1198 SQL injection due to improper handling of apostrophes

1/11/02
6/14/02
CAN 2001-1401
CAN 2001-1402
CAN 2001-1403
CVE 2002-0007
CAN 2002-0008
CVE 2002-0009
CAN 2002-0010
CVE 2002-0011
CAN 2002-0803
CVE 2002-0804
CVE 2002-0805
CVE 2002-0806
CAN 2002-0807
CVE 2002-0808
CVE 2002-0809
CVE 2002-0810
CAN 2002-0811
Older versions of Bugzilla are affected by additional vulnerabilities ranging from cross-site scripting to account hijacking. Bugzilla versions prior to 2.14.2, version 2.15, and version 2.16 prior to rc2 are affected by these vulnerabilities.

CAN 2001-0329
CVE 2001-0330
In versions prior to 2.12, two CGI scripts included in Bugzilla lead to further vulnerabilities. The first script, globals.pl, could reveal sensitive information such as path names and database passwords. The second, process_bug.cgi, could allow a remote attacker to execute arbitrary commands if the attacker registers with Bugzilla with a specially crafted e-mail address containing shell commands.

Resolution

Upgrade to Bugzilla 2.16.3 or higher, or to the development snapshot 2.17.4 or higher.

Where can I read more about this?

The latest vulnerabilities were reported in Bugzilla Security Advisories 2.16.1 and 2.16.2.

The older vulnerabilities were reported in Bugtraq, Bugtraq, @stake advisory 04.30.01, and a Bugzilla Security Advisory.