Closed Bug 741079 Opened 10 years ago Closed 10 years ago

Security advisory for Bugzilla 4.2.1, 4.0.6 and 3.6.9

Categories

(Bugzilla :: bugzilla.org, defect)

defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: dkl)

References

Details

Attachments

(1 file, 3 obsolete files)

We have one security bug ready for checkin: bug 728639, affecting all active branches.
Flags: blocking4.2.1+
Attached file 3.6.8 sec adv (v1) (obsolete) —
Assignee: website → dkl
Status: NEW → ASSIGNED
Attachment #614481 - Flags: review?(LpSolit)
Comment on attachment 614481 [details]
3.6.8 sec adv (v1)

>* When abusing X-FORWARDED-FOR header, an attacker could bypass 
>  lockout policy allowing a possible brute-force discovery of a 
>  valid user password.

Maybe it's just me, but shouldn't you add "the" before "X-FORWARDED-FOR header" and "lockout policy"?


>Versions:    3.6.8, 4.0.5, 4.2

All versions since 3.5.3 are vulnerable, so it must be: 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2.


>Description: Due to a lack of proper validation of the X-FORWARDED-FOR
>             header of an authentication request, an attacker could bypass
>             the current lockout policy used for protection against and 
>             brute-force password discovery or possible denial of service
>             attack.

I don't understand "against" in this sentence. Also, don't mention DoS as it's not true. Also, mention that this vulnerability can only be exploited if the 'inbound_proxies' parameter is set.


>David Lawrence
>Byron Jones
>Frédéric Buclin

The credits list contains the following people, in this order: assignee, reviewer, reporter. So we have:

Frédéric Buclin
Byron Jones
Soroush Dalili
Attachment #614481 - Flags: review?(LpSolit) → review-
Attached file 3.6.8 sec adv (v2) (obsolete) —
Thanks for the review. Grammar errors fixed as well as other changes.

dkl
Attachment #614481 - Attachment is obsolete: true
Attachment #614673 - Flags: review?(LpSolit)
Comment on attachment 614673 [details]
3.6.8 sec adv (v2)

>             header of an authentication request, an attacker could bypass
>             the current lockout policy used for protection against brute-

>The fix for this issue is included in the 3.6.9, 4.0.6 and 4.2.1 releases.

This is fine, but these 3 lines are longer than 72 characters. This can be fixed when sending the sec adv by email. r=LpSolit
Attachment #614673 - Attachment is patch: false
Attachment #614673 - Flags: review?(LpSolit) → review+
Depends on: CVE-2012-0466
Attached file 3.6.8 sec adv (v3) (obsolete) —
Added additional security issue fixed.
Attachment #614673 - Attachment is obsolete: true
Attachment #615979 - Flags: review?(LpSolit)
Comment on attachment 615979 [details]
3.6.8 sec adv (v3)

>* It is possible, using cross-site scripting, for an attacker using
>  JavaScript in buglist.cgi to gain access to bug information
>  using a victim's account.

This sounds like the attacker could inject JavaScript in buglist.cgi, which is not true. I would rather say something like:

* An attacker can get access to some bug information using
  the victim's credentials using a specially crafted HTML page.


>Class:       Cross Site Scripting
>Versions:    3.5.3 to 3.6.8, 3.7.1 to 4.0.5, 4.1.1 to 4.2

2.17.4 and above are affected. So it must start with "2.17.4 to 3.6.8, ...".


>Description: A JavaScript template used by buglist.cgi could be used
>             by a malicious script accessing a Bugzilla instance
>             and gaining access to bug information using a victim's
>             account. This is a problem if the target Bugzilla instance 
>             always requires a valid login when accessing any page.

s/and gaining/to gain/ maybe?

Also, the last sentence is confusing. It sounds like this is only a problem when requirelogin is turned on, which is not quite true. Even without requiring the user to log in, this could be used by the attacker to gain access to bugs he is not allowed to see (such as security bugs). Maybe the whole paragraph could be reworded to:

"A JavaScript template used by buglist.cgi could be used
 by a malicious script to permit an attacker to gain access
 to some information about bugs he would not normally be
 allowed to see, using the victim's credentials. To be
 exploitable, the victim must be logged in when visiting
 the attacker's malicious page."


>The fix for this issue is included in the 3.6.9, 4.0.6 and 4.2.1 releases.
>Upgrading to a release with the relevant fix will protect your
>installation from possible exploits of this issue.

fix and issue must be plural.


>If you are unable to upgrade but would like to patch just the
>individual security vulnerability, there is a patch available for
>the issue at the "References" URL for the vulnerability.

vulnerability and patch must be plural. Also,
s/the issue/each issue/
s/the vulnerability/each vulnerability/
Attachment #615979 - Flags: review?(LpSolit) → review-
Attachment #615979 - Attachment is patch: false
Attachment #615979 - Attachment is obsolete: true
Attachment #616180 - Flags: review?(LpSolit)
Comment on attachment 616180 [details]
3.6.8 sec advisory (v4)

>releases. Upgrading to a release with the relevant fixes will protect your
>installation from possible exploits of this issue.

s/this issue/these issues/. This can be fixed before sending the sec adv by email. r=LpSolit
Attachment #616180 - Flags: review?(LpSolit) → review+
Security Advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.