Closed Bug 389843 Opened 18 years ago Closed 17 years ago

Security Advisory for 2.20.5, 2.22.3, 3.0.1, and 3.1.1

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Version:
2.20.4
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

Sec Adv, v2
3.45 KB, text/plain
mkanat
: review+
Details
3 security bugs will be fixed. We need a sec adv for them.
Attached file Sec Adv, v1 (obsolete) —
I'm not quite sure about the 2nd issue, especially its class and the kind of damage it can do.
Assignee: website → LpSolit
Status: NEW → ASSIGNED
Attachment #276935 - Flags: review?(mkanat)
Comment on attachment 276935 [details] Sec Adv, v1 >+ Users using the WebService interface may access time-related data they > are not allowed to read. Let's make that: Users using the WebService interface may access Bugzilla's time-tracking fields even if they normally cannot see them. >Description: Bugzilla does not properly escape the 'buildid' field in > the guided form when filing bugs. From 2.17.1 till 2.23.3, > this field was based exclusively on the User-Agent string > returned by your web browser, which may be considered as > safe or not. Don't put "which may be considered as safe or not"--security folks will be unhappy with that, as it's never safe. > Since 2.23.4, this parameter can be defined > in the URL passed to enter_bug.cgi, overwriting the > User-Agent string and may lead to cross-site scripting. Mention also: The guided form is not usually used by Bugzilla installations, as it is shipped only as an example to be modified for their own use. >Issue 2 >------- >Class: Manipulation Of Data "Command Injection" I believe. >Versions: 2.23.4 and above >Description: Bugzilla 2.23.4 and newer use the Email:: modules instead > of the Mail:: and MIME:: ones. The argument passed to the -f > option of Email::Send::Sendmail() is insufficiently escaped > and may lead to arbitrary code execution "limited command injection" instead of "arbitrary code execution". (The commands you can run are very limited, but you can still run commands.) > when called from > email_in.pl, a script which has also been introduced in 2.23.4. "was" instead of "has also been". >Description: WebService allows you to get data from a Bugzilla installation > using XML-RPC. Time-related data of bugs are returned in all > cases, even when the user asking for these data does not have > the required privileges. "Bugzilla's WebService (XML-RPC) interface allows you to access the time-tracking fields (such as Deadline, Estimated Time, etc.) on all bugs, even if you normally cannot access time-tracking fields." >Full release downloads, patches to upgrade Bugzilla from previous >versions, and CVS upgrade instructions are available at: > > http://www.bugzilla.org/download.html http://www.bugzilla.org/download/ Otherwise, looks great! :-) Thank you!
Attachment #276935 - Flags: review?(mkanat) → review-
Attached file Sec Adv, v2
Attachment #276935 - Attachment is obsolete: true
Attachment #277027 - Flags: review?(mkanat)
Comment on attachment 277027 [details] Sec Adv, v2 Looks great! Thanks! :-)
Attachment #277027 - Flags: review?(mkanat) → review+
Okay, sent to support-bugzilla, announce@, and BugTraq.
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: