exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bugzilla5issues.txt

bugzilla5issues.txt
Posted Nov 4, 2003
Authored by Dave Miller | Site bugzilla.org

Bugzilla Security Advisory - Five security related bugs have been discovered in this web-based bug tracking system. Two relate to SQL injection attacks via privileged user accounts. A third allows ex-members of a deleted group to get inserted into a new group if it is created reusing the same name. Two other issues allow extraction of bug information for any known email address and for a user to obtain descriptions for a product they do not have access to.

tags | advisory, web, sql injection
SHA-256 | 39b258a4c1f61e7a04f61190675f88517211c8525b062d55c9f258be69b46223

bugzilla5issues.txt

Change Mirror Download
Bugzilla Security Advisory

November 2, 2003

Summary
=======

Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.

This advisory covers security bugs that have recently been discovered
and fixed in the Bugzilla code: two instances of arbitrary SQL injection
exploitable only by a privileged user, one instance where a privileged
user may retain privileges that should have been removed, and two
instances of unprivileged access to summaries of restricted data.

These bugs are not considered critical, since their impact is quite
limited. Nevertheless, all Bugzilla installations are advised to upgrade
to the latest stable version of Bugzilla, 2.16.4, which was released
today.

Development snapshots prior to version 2.17.5 are also affected, so if
you are using a development snapshot, you should obtain a newer one
(2.17.5) or use CVS to update.


Vulnerability Details
=====================

Issue 1
-------
Class: SQL injection (by privileged user only)
Versions: 2.16.3 and earlier (2.17.1 and up are not affected)
Description: A user with 'editproducts' privileges (i.e. usually an
administrator) can select arbitrary SQL to be run by the
nightly statistics cron job (collectstats.pl), by giving a
product a special name.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=214290

Issue 2
-------
Class: SQL injection (by privileged user only)
Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4
Description: A user with 'editkeywords' privileges (i.e. usually an
administrator) can inject arbitrary SQL via the URL used to
edit an existing keyword.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219044

Issue 3
-------
Class: Privilege mishandling
Versions: 2.16.3 and earlier (2.17.1 and up are not affected)
Description: When deleting products and the 'usebuggroups' parameter is
on, the privilege which allows someone to add people to the
group which is being deleted does not get removed, allowing
people with that privilege to get that privilege for the
next group that is created which reuses that group ID.
Note that this only allows someone who had been granted
privileges in the past to retain them.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219690

Issue 4
-------
Class: Information leak
Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4
Description: If you know the email address of someone who has voted on a
secure bug, you can access the summary of that bug even if
you do not have sufficient permissions to view the bug
itself.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209376

Issue 5
-------
Class: Information leak
Versions: 2.17.3 and 2.17.4 only
Description: Under some circumstances, a user can obtain component
descriptions for a product to which he does not normally
have access.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209742


Vulnerability Solutions
=======================

The fixes for all of the security bugs mentioned in this advisory
are included in the 2.16.4 and 2.17.5 releases. Upgrading to these
releases will protect installations from these issues.

Full release downloads, patches to upgrade Bugzilla to 2.16.4 from
previous 2.16.x verions, and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating and advising us of these situations:

Bradley Baetz - for discovering and fixing the issue with voting on a
secure bug
Ryan Cleary - for discovering the issue with component descriptions of
secured products
Andrew Eross - for discovering the SQL injection in collectstats.pl
Vlad Dascalu - for discovering the SQL injection in editkeywords.cgi
Stefan Mayr - for discovering and fixing the privilege deletion issue
when deleting products


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close