The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Two Bugzilla Information Disclosure Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.bugzilla.org/> Bugzilla - "Open-source bug tracking software,
with a web-based interface. Written in Perl, with MySQL database
back-end."
Bugzilla Security Advisory reveals two information leaking issues that
have recently been discovered and fixed in Bugzilla.
DETAILS
Vulnerable Systems:
* Bugzilla versions 2.17.1 - 2.18.1, 2.19.1 - 2.19.3
Immune Systems:
* Bugzilla version 2.18.2
Any user can change a flag on any bug: (Versions: 2.17.1 - 2.18.1, 2.19.1
- 2.19.3)
Any user can change any flag on any bug, even if they don't have access to
that bug, or even if they can't normally make bug changes. This also
allows them to expose the summary of a bug. By manually modifying a link
to process_bug.cgi, it is possible to change a flag on a bug that you do
not have access to, because Bugzilla does not validate that the flag you
are attempting to change is associated with the bug that you are
attempting to change. If the attacker makes a flag change which causes the
attacker to be emailed, the attacker will see the summary of the bug in
that email. If you are using the request_group or grant_group features of
2.19, the attacker will be prevented from exploiting this security hole if
they do not have permission to change the flag in the fashion that they
are changing it.
Reference:
<https://bugzilla.mozilla.org/show_bug.cgi?id=293159>
https://bugzilla.mozilla.org/show_bug.cgi?id=293159
Summaries of private bugs are exposed: (Versions:2.17.1 and above)
Bugs are inserted into the database before they are marked as private, in
Bugzilla code. Thus, MySQL replication can lag in between the time that
the bug is inserted and when it is marked as private (usually less than a
second). If replication lags at this point, the bug summary will be
accessible to all users until replication catches up. Also, on a very slow
machine, there may be a pause longer than a second that allows users to
see the title of the newly-filed bug.
Reference:
<https://bugzilla.mozilla.org/show_bug.cgi?id=292544>
https://bugzilla.mozilla.org/show_bug.cgi?id=292544
Patch Availability:
All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.18.2.
<http://www.bugzilla.org/download.html>
http://www.bugzilla.org/download.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:mkanat@bugzilla.org> Max
Kanat-Alexander.
The original article can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=293159>
https://bugzilla.mozilla.org/show_bug.cgi?id=293159
The original article can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=292544>
https://bugzilla.mozilla.org/show_bug.cgi?id=292544
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
