Security Advisory for Bugzilla 4.0rc2, 3.6.4, 3.4.10 and 3.2.10

RESOLVED FIXED

Status

()

defect
--
blocker
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: LpSolit, Assigned: mkanat)

Tracking

Dependency tree / graph
Bug Flags:
blocking4.0 +
blocking3.6.4 +
blocking3.4.10 +
blocking3.2.10 +

Details

Attachments

(1 attachment, 4 obsolete attachments)

(Reporter)

Description

9 years ago
We have several moderate to critical security bugs to fix for 4.0rc2 & co. I also include the CGI.pm one, hoping a new version will be released on time on CPAN.

CVE ref welcome.
Flags: blocking4.0+
Flags: blocking3.6.4+
Flags: blocking3.4.10+
Flags: blocking3.2.10+
(Reporter)

Updated

8 years ago
Depends on: CVE-2010-4572
(Assignee)

Updated

8 years ago
Duplicate of this bug: 611201
(Assignee)

Comment 2

8 years ago
Posted file v1 (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #506051 - Flags: review?(reed)
Attachment #506051 - Flags: review?(LpSolit)
(Assignee)

Updated

8 years ago
Component: Bugzilla-General → bugzilla.org
Target Milestone: Bugzilla 3.2 → ---
Comment on attachment 506051 [details]
v1

>Bugzilla is a Web-based bug-tracking system used by a large number of
>software projects. Recently, the Mozilla Project offered a bounty to
>anyone who could find a security issue in systems that Mozilla uses.
>
>This resulted in several new security issues being found in Bugzilla:

""
Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html).

As a result, several new security issues affecting Bugzilla were reported:
OR
This expansion resulted in the finding of several new security issues affecting Bugzilla:
""

The bounty program isn't new, so should clarify that only the webapp part is recent. Also, I added a link to the program. It couldn't hurt, and we might get more submissions that way. I think we should add a shout-out to Mozilla for offering this program, either before the vulnerability details or towards the end. We could move the link there if it's too prominent in the intro.

>* A weakness in Bugzilla could allow a user to gain unauthorized access
>  to another Bugzilla account.

Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list?

>* A weakness in the Perl CGI.pm module allows injecting HTTP headers
>  and content to users, on several pages in Bugzilla.

s/users, on/users via/

>* Normally, Bugzilla does not make "javascript:" or "data:" URLs into
>  clickable links if they are put into the "URL" field, but there is
>  a way to bypass that protection.

This one doesn't flow. Need to restructure to match format of other issues. Maybe something starting like this:
A weakness in Bugzilla's protection against clickable "javascript:" or "data:" URLs allows ....

>* Various pages lacks protection against cross-site request forgeries.

s/lacks/lack/

>Description: By inserting certain strings into certain URLs, it was 
>             possible to inject both headers and content to any 
>             browser.

Got another word besides "certain" so you're not using it twice?

s/to any/into any/

>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
>             http://avatraxiom.livejournal.com/104105.html
>             http://cwe.mitre.org/data/definitions/113.html

Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572.

>CVE Number:  CVE-2010-2761, CVE-2010-4572, CVE-2010-4411

List in numerical order (also since 2761 and 4411 go together).

>Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
>             autocomplete mechanism for all fields where a username
>             is entered. This mechanism was vulnerable to a cross-site
>             scripting attack.

s/a username/an e-mail address/

>CVS Number:  CVE-2010-4569

s/CVS/CVE/

>Description: Bugzilla has a "URL" field that can contain any type
>             of URL, including "javascript:" and "data:" URLs. However,
>             it does not make "javascript:" and "data:" URLs into
>             clickable links, to protect against cross-site scripting
>             attacks or other attacks. It was possible to bypass this
>             protection by adding spaces into the URL in places that
>             Bugzilla did not expect them.

s/any type/several types/

>Description: Various pages were vulnerable to non-critical Cross-Site
>             Request Forgery attacks. Some of these issues were only

Drop the "non-critical", as some do concern dataloss and such.

>             addressed on more recent branches of Bugzilla and not
>             fixed in earlier branches, to avoid changing behavior
>             that external applications may depend on.

... fixed in older branches in order to avoid changing ...

>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621105
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621107
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621108
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621109
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621110

dveditz, do we need one CVE for all of these or one per issue?

>Willem Pinckaers of Pine Security (reporter, Account Compromise issue)

Pine Digital Security

>Alex Miller

Replace with mozilla11@mailinator.com (real name unknown). Alex was not the original reporter. If there are questions about this, poke me on IRC (not here).

>Comments and follow-ups can be directed to the mozilla.support.bugzilla
>newsgroup or the support-bugzilla mailing list.
>http://www.bugzilla.org/support/ has directions for accessing these
>forums.

You know, we don't actually have a place (that I can find) explaining how to report security bugs. We should either add a blurb here at the bottom or include something on the /support/ page.
Attachment #506051 - Flags: review?(reed) → review-
(In reply to comment #3)
> >References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
> >             https://bugzilla.mozilla.org/show_bug.cgi?id=621105
> >             https://bugzilla.mozilla.org/show_bug.cgi?id=621107
> >             https://bugzilla.mozilla.org/show_bug.cgi?id=621108
> >             https://bugzilla.mozilla.org/show_bug.cgi?id=621109
> >             https://bugzilla.mozilla.org/show_bug.cgi?id=621110
> 
> dveditz, do we need one CVE for all of these or one per issue?

Looks like Jose A. Vazquez reported one and then you investigated and looked for other places with the same pattern/problem? If so a single CVE is appropriate.
(Reporter)

Comment 5

8 years ago
/me will wait for an updated sec adv before reviewing it.
(In reply to comment #4)
> > dveditz, do we need one CVE for all of these or one per issue?
> 
> Looks like Jose A. Vazquez reported one and then you investigated and looked
> for other places with the same pattern/problem? If so a single CVE is
> appropriate.

Correct. Please assign one then. :)
Also need to add bug 628034 to the advisory.
(In reply to comment #7)
> Also need to add bug 628034 to the advisory.

... and add Mike Brooks to the credits, as the reporter.
(In reply to comment #8)
> (In reply to comment #7)
> > Also need to add bug 628034 to the advisory.
> 
> ... and add Mike Brooks to the credits, as the reporter.

Make that: Michael Brooks (Sitewatch).
(Assignee)

Comment 10

8 years ago
Posted file v2 (obsolete) —
Okay, addressed almost everything that reed pointed out.
Attachment #506051 - Attachment is obsolete: true
Attachment #506330 - Flags: review?(reed)
Attachment #506330 - Flags: review?(LpSolit)
Attachment #506051 - Flags: review?(LpSolit)
(Reporter)

Updated

8 years ago
Attachment #506330 - Attachment is patch: false
Comment on attachment 506330 [details]
v2

>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619588
>             https://bugzilla.mozilla.org/show_bug.cgi?id=628034
>CVE Number:  CVE-2010-4567

Add CVE-2011-0048 to the list.

>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621105
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621107
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621108
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621109
>             https://bugzilla.mozilla.org/show_bug.cgi?id=621110

CVE-2011-0046

>Willem Pinckaers of pine.nl (reporter, Account Compromise issue)

Pine Digital Security, if you can...

>Michael Brooks

List as: Michael Brooks of Sitewatch

>Jose A. Vazquez

José A. Vázquez (I know his bugzilla account says differently, but this comes from e-mail)
Attachment #506330 - Attachment is patch: true
Attachment #506330 - Attachment is patch: false
(Assignee)

Comment 12

8 years ago
Posted patch v3 (obsolete) — Splinter Review
Attachment #506330 - Attachment is obsolete: true
Attachment #506489 - Flags: review?(reed)
Attachment #506489 - Flags: review?(LpSolit)
Attachment #506330 - Flags: review?(reed)
Attachment #506330 - Flags: review?(LpSolit)
Comment on attachment 506489 [details] [diff] [review]
v3

>Class:       HTTP Response Splitting
>Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Description: By inserting particular strings into certain URLs, it was
>             possible to inject both headers and content to any 
>             browser.
>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
>             http://avatraxiom.livejournal.com/104105.html
>             http://cwe.mitre.org/data/definitions/113.html

Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572.

>Dave Lawrence

David, as per IRC.

r=reed with those fixed.
Attachment #506489 - Flags: review?(reed) → review+
Comment on attachment 506489 [details] [diff] [review]
v3

>* A weakness in Bugzilla could allow a user to gain unauthorized access
>  to another Bugzilla account.

Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list?

>Class:       Cross-Site Request Forgery
>Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Description: Various pages were vulnerable to Cross-Site Request 
>             Forgery attacks. Most of these issues are not as serious
>             as previous CSRF vulnerabilities. Some of these issues
>             were only addressed on more recent branches of Bugzilla
>             and not fixed in earlier branches, to avoid changing
>             behavior that external applications may depend on.

s/, to/in order to/
Attachment #506489 - Flags: review+ → review-
(Assignee)

Comment 15

8 years ago
(In reply to comment #14)
> Any reason why you're using "could allow" here when you use "allows" or more
> present/active verbs later on in the list?

  I felt it was more accurate.

> s/, to/in order to/

  Will fix.
(Assignee)

Comment 16

8 years ago
Posted patch v4 (obsolete) — Splinter Review
Attachment #506489 - Attachment is obsolete: true
Attachment #506528 - Flags: review?(reed)
Attachment #506528 - Flags: review?(LpSolit)
Attachment #506489 - Flags: review?(LpSolit)
(Reporter)

Comment 18

8 years ago
Comment on attachment 506528 [details] [diff] [review]
v4

>Willem Pinckaers of pine.nl (reporter, Account Compromise issue)

We want a "special thanks" section for Willem, as discussed on IRC.
(Assignee)

Comment 19

8 years ago
Posted patch v5Splinter Review
Attachment #506528 - Attachment is obsolete: true
Attachment #506545 - Flags: review?(LpSolit)
Attachment #506528 - Flags: review?(LpSolit)
(Reporter)

Comment 20

8 years ago
Comment on attachment 506545 [details] [diff] [review]
v5

nice, thanks! r=LpSolit
Attachment #506545 - Flags: review?(LpSolit) → review+
Comment on attachment 506545 [details] [diff] [review]
v5

>Full release downloads, patches to upgrade Bugzilla from previous
>versions, and CVS/bzr upgrade instructions are available at:
>
>  http://www.bugzilla.org/download/
>
>
>Credits
>=======

Remove the extra line.

>Willem Pinckaers

Willem Pinckaers (Pine Digital Security)
(Reporter)

Comment 22

8 years ago
(In reply to comment #21)
> >Willem Pinckaers
> 
> Willem Pinckaers (Pine Digital Security)

No, this is already in the section below
Comment on attachment 506545 [details] [diff] [review]
v5

(In reply to comment #22)
> (In reply to comment #21)
> > >Willem Pinckaers
> > 
> > Willem Pinckaers (Pine Digital Security)
> 
> No, this is already in the section below

No, should also list it in the credits section. Believe me, it's better to duplicate it than upset somebody down the road. I've been down this road before. ;)
Attachment #506545 - Flags: review-
(Reporter)

Comment 24

8 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.