[BUGZILLA] XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3

David Miller justdave at bugzilla.org
Fri Jan 7 02:06:01 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugzilla Security Advisory
January 6, 2005

Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers a single cross-site scripting issue that has
recently been discovered and fixed in the Bugzilla code: If a malicious
user links to a Bugzilla site using a specially crafted URL, a script in
the error page generated by Bugzilla will display the URL unaltered in
the page, allowing scripts embedded in the URL to execute.  Not all
browsers are affected.  Many web browsers prevent these types of URLs
from being sent in the first place.  A list of browsers that we know are
or are not affected is in the Vulnerability Details section below.

At this time, we are very close to producing a new release of Bugzilla,
however, that release has not yet been completed.  In the mean time, we
felt it was only fair to advise everyone of this issue, since it has
already been made public via at least BugTraq and Secunia as part of a
broader paper covering cross-site scripting on many major websites.

We do have patches available which can be applied to your Bugzilla
installation.


Vulnerability Details
=====================

Class:       Cross-site scripting
Versions:    2.15 through 2.18rc3 and 2.19.1(from cvs)
Description: It is possible to send a carefully crafted URL to Bugzilla
~             designed to trigger an error message.  The Internal Error
~             message includes javascript code which displays the URL the
~             user is visiting.  The javascript code does not escape the
~             URL before displaying it, allowing scripts contained in the
~             URL to be executed by the browser.  Many browsers do not
~             allow unescaped URLs to be sent to a webserver (thus
~             complying with RFC 2616 section 2.3.1 and RFC 2396 section
~             2.4.3), and are thus immune to this issue.
~             Browsers which are known to be immune:
~             - Firefox 1.0
~             - Mozilla 1.7.5
~             - Camino 0.8.2
~             - Netscape 7.2
~             - Safari 1.2.4
~             Browsers known to be susceptible:
~             - Internet Explorer 6 SP2
~             - Konqueror 3.2
~             Browsers not listed here have not been tested.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=272620
CVE Name:    CAN-2004-1061


Vulnerability Solutions
=======================

The fixes for the security bug mentioned in this advisory will be
included in the 2.16.8 and 2.18 releases, and in the first release
candidate of 2.20, none of which are yet available at this writing. In
the mean time, the patch to correct the issue may be downloaded from the
bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=272620 .
Applying the provided patch, or upgrading to these releases once they
are available, will protect installations from possible exploits of this
issue.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Michael Krax
Gervase Markham
Marc Schumann


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/support/ has directions for
accessing these forums.

- -30-

- --
Dave Miller                                   http://www.justdave.net/
System Administrator, Mozilla Foundation       http://www.mozilla.org/
Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD4DBQFB3e6I0YeDAOcbS44RAkt8AJjNxA+iZ6t+thlK+oJVwu4RHWA4AJ4+mOeS
smjYVRn6Zx/P4eBSwiqd5Q==
=ucpu
-----END PGP SIGNATURE-----



More information about the announce mailing list