Bugzilla Security Advisory November 2, 2003 Summary ======= Bugzilla is a Web-based bug-tracking system, currently used by a large number of software projects. This advisory covers security bugs that have recently been discovered and fixed in the Bugzilla code: two instances of arbitrary SQL injection exploitable only by a privileged user, one instance where a privileged user may retain privileges that should have been removed, and two instances of unprivileged access to summaries of restricted data. These bugs are not considered critical, since their impact is quite limited. Nevertheless, all Bugzilla installations are advised to upgrade to the latest stable version of Bugzilla, 2.16.4, which was released today. Development snapshots prior to version 2.17.5 are also affected, so if you are using a development snapshot, you should obtain a newer one (2.17.5) or use CVS to update. Vulnerability Details ===================== Issue 1 ------- Class: SQL injection (by privileged user only) Versions: 2.16.3 and earlier (2.17.1 and up are not affected) Description: A user with 'editproducts' privileges (i.e. usually an administrator) can select arbitrary SQL to be run by the nightly statistics cron job (collectstats.pl), by giving a product a special name. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=214290 Issue 2 ------- Class: SQL injection (by privileged user only) Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4 Description: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219044 Issue 3 ------- Class: Privilege mishandling Versions: 2.16.3 and earlier (2.17.1 and up are not affected) Description: When deleting products and the 'usebuggroups' parameter is on, the privilege which allows someone to add people to the group which is being deleted does not get removed, allowing people with that privilege to get that privilege for the next group that is created which reuses that group ID. Note that this only allows someone who had been granted privileges in the past to retain them. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219690 Issue 4 ------- Class: Information leak Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4 Description: If you know the email address of someone who has voted on a secure bug, you can access the summary of that bug even if you do not have sufficient permissions to view the bug itself. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209376 Issue 5 ------- Class: Information leak Versions: 2.17.3 and 2.17.4 only Description: Under some circumstances, a user can obtain component descriptions for a product to which he does not normally have access. Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209742 Vulnerability Solutions ======================= The fixes for all of the security bugs mentioned in this advisory are included in the 2.16.4 and 2.17.5 releases. Upgrading to these releases will protect installations from these issues. Full release downloads, patches to upgrade Bugzilla to 2.16.4 from previous 2.16.x verions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above. Credits ======= The Bugzilla team wish to thank the following people for their assistance in locating and advising us of these situations: Bradley Baetz - for discovering and fixing the issue with voting on a secure bug Ryan Cleary - for discovering the issue with component descriptions of secured products Andrew Eross - for discovering the SQL injection in collectstats.pl Vlad Dascalu - for discovering the SQL injection in editkeywords.cgi Stefan Mayr - for discovering and fixing the privilege deletion issue when deleting products General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.bugzilla.org/discussion.html has directions for accessing these forums. -30- -- Dave Miller Project Leader, Bugzilla Bug Tracking System http://www.justdave.net/ http://www.bugzilla.org/