exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Bugzilla Chart Generator Cross Site Scripting

Bugzilla Chart Generator Cross Site Scripting
Posted Jan 3, 2012
Site redteam-pentesting.de

RedTeam Pentesting discovered a cross site scripting vulnerability in Bugzilla's chart generator during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the Bugzilla installation's domain. Versions affected include 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2 and 4.1.1 to 4.1.3.

tags | exploit, arbitrary, javascript, xss
advisories | CVE-2011-3657
SHA-256 | ca81bb38b09a55cb4defe19fe6466a61b7037842c123590640a2365869115e44

Bugzilla Chart Generator Cross Site Scripting

Change Mirror Download
Advisory: Bugzilla: Cross-Site Scripting in Chart Generator

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability
in Bugzilla's chart generator during a penetration test. If attackers
can persuade users to click on a prepared link or redirected them to
such a link from an attacker-controlled website, they are able to run
arbitrary JavaScript code in the context of the Bugzilla installation's
domain.

Details
=======

Product: Bugzilla
Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
4.1.1 to 4.1.3
Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.bugzilla.org
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2012-001
Advisory Status: published
CVE: CVE-2011-3657
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657


Introduction
============

"Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect
Tracking Systems allow individual or groups of developers to keep track
of outstanding bugs in their product effectively. Most commercial
defect-tracking software vendors charge enormous licensing fees. Despite
being 'free', Bugzilla has many features its expensive counterparts
lack. Consequently, Bugzilla has quickly become a favorite of thousands
of organizations across the globe."

(from Bugzilla's homepage)


More Details
============

The chart-generating script chart.cgi contains a method plot(), that
creates a new chart:

sub plot {
validateWidthAndHeight();
$vars->{'chart'} = new Bugzilla::Chart($cgi);

my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));

# Debugging PNGs is a pain; we need to be able to see the error messages
if ($cgi->param('debug')) {
print $cgi->header();
$vars->{'chart'}->dump();
}

print $cgi->header($format->{'ctype'});
disable_utf8() if ($format->{'ctype'} =~ /^image\//);

$template->process($format->{'template'}, $vars)
|| ThrowTemplateError($template->error());
}

The function's code shows that there is a "debug" parameter, that, if
set, will make the function print out the variable that represents the
chart with the dump() method implemented in Chart.pm:

sub dump {
my $self = shift;

# Make sure we've read in our data
my $data = $self->data;

require Data::Dumper;
print "<pre>Bugzilla::Chart object:\n";
print Data::Dumper::Dumper($self);
print "</pre>";
}

The dump() method then prints the given data structures without any
further checks. This includes user-defined variables sent as URL or HTTP
POST parameters, especially "label0". As the content of this variable is
not checked for malicious input, it can be used to inject arbitrary
JavaScript code into the debugging output. In fact, any variable of the
form "labelXXX", where "XXX" is an arbitrary number, will work. The
view() method in chart.cgi also invokes dump() when the "debug"
parameter is set:

sub view {
[...]
# If we have having problems with bad data, we can set debug=1 to dump
# the data structure.
$chart->dump() if $cgi->param('debug');
[...]
}

After reporting the bug, the Bugzilla team discovered that almost the
same code is used in report.cgi, too, leading to the same problem:

# Problems with this CGI are often due to malformed data. Setting debug=1
# prints out both data structures.
if ($cgi->param('debug')) {
require Data::Dumper;
print "<pre>data hash:\n";
print Data::Dumper::Dumper(%data) . "\n\n";
print "data array:\n";
print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
}

Triggering this XSS is more involved though. One attack vector would be
for example to create a Bugzilla account, set one's own real name to
contain JavaScript code, add a new bug and then create a report where
one of the axes is the assignee's real name. Adding the debug=1
parameter to the resulting image URL will then include the name in the
output, triggering the XSS.


Proof of Concept
================

The following URL generates a new chart with debugging output enabled,
containing JavaScript code in the "label0" parameter:

http://www.example.org/bugzilla/chart.cgi
?category=-All-
&datefrom=
&dateto=
&label0=<script>alert("XSS")</script>
&line0=1
&name=1
&subcategory=-All-
&ctype=png
&action=plot
&width=600
&height=350
&debug=1

The next URL triggers an XSS if one's real name includes JavaScript
code, e.g. 'John Doe<script>alert("XSS")</script>':

http://www.example.org/bugzilla/report.cgi
?query_format=report-graph
&x_axis_field=bug_status
&x_labels_vertical=1
&y_axis_field=assigned_to_realname
&format=bar
&ctype=png
&action=plot
&width=600
&height=350
&debug=1


Workaround
==========

Manually remove the debugging code from chart.cgi and report.cgi, as it
is not needed for Bugzilla to function properly.


Fix
===

Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1.


Security Risk
=============

The risk of this vulnerability is estimated to be high. Being able to
embed arbitrary JavaScript code allows attackers to completely
manipulate the website, add their own content and track all user
interaction.


History
=======

2011-10-17 Vulnerability identified
2011-10-25 Customer approved disclosure to vendor
2011-10-27 Vendor notified
2011-11-21 CVE number assigned
2011-12-28 Vendor released fixed version
2012-01-03 Advisory released


References
==========

http://www.bugzilla.org/security/3.4.12/
https://bugzilla.mozilla.org/show_bug.cgi?id=697699


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close