lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40F07A58.6070401@bugzilla.org>
Date: Sat, 10 Jul 2004 19:23:04 -0400
From: David Miller <justdave@...zilla.org>
To: announce@...zilla.org, Bugzilla mail list <mozilla-webtools@...illa.org>,
   mozilla-announce@...illa.org, bugtraq@...urityfocus.com
Subject: [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugzilla Security Advisory
July 10, 2004

Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers security bugs that have recently been discovered
and fixed in the Bugzilla code: In the stable 2.16 releases, one instance
of arbitrary SQL injection exploitable only by a privileged user, several
instances of insufficient data validation and/or escaping, and two
instances of unprivileged access to names of restricted products. We know
of no occasion where any of these vulnerabilities have been exploited.

All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.6, which was released today.

Development snapshots prior to version 2.18rc1 are also affected, so if
you are using a development snapshot, you should obtain a newer one
(2.18rc1) or use CVS to update.


Vulnerability Details
=====================

Issue 1
- -------
Class:       Database Password Compromise
Versions:    2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: If the SQL server is halted but the webserver is left running,
~             older versions of DBI display an error message to the remote
~             user which contains the database password. While a properly-
~             configured database would still only be accessible by a local
~             user using that password, all installations are advised to
~             change the password after upgrading.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=227191

Issue 2
- -------
Class:       Privilege escalation
Versions:    2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: A user with privileges to grant membership to one or more
~             individual groups (i.e. usually an administrator) can
~             trick the administrative controls into granting membership
~             in groups other than the ones he has privileges for.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=233486

Issue 3
- -------
Class:       Information Leak
Versions:    All versions prior to 2.16.6 and 2.18rc1
Description: If Bugzilla is configured to hide entire products from some
~             users, both duplicates.cgi and the form for mass-editing a
~             list of bugs in buglist.cgi can disclose the names of those
~             hidden products to such users.
References:  http://bugzilla.mozilla.org/show_bug.cgi?id=234825
~             http://bugzilla.mozilla.org/show_bug.cgi?id=234855

Issue 4
- -------
Class:       Cross-site scripting vulnerability
Versions:    All versions prior to 2.16.6 and 2.18rc1
Description: Several administration CGIs echo invalid data back to the
~             user without escaping it.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=235265

Issue 5
- -------
Class:       User Password embedded in URL
Versions:    2.17.5 through 2.17.7 (2.16-based releases are not affected)
Description: The user's password can be embedded as part of an image URL,
~             and thus visible in the web server logs, if the user is
~             prompted to log in while attempting to view a chart.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=235510

Issue 6
- -------
Class:       Remote SQL injection vulnerability
Versions:    All versions prior to 2.16.6 and 2.18rc1
Description: A user with privileges to grant membership to any group
~             (i.e. usually an administrator) can trick editusers.cgi
~             into executing arbitrary SQL.
Reference:   http://bugzilla.mozilla.org/show_bug.cgi?id=244272



Vulnerability Solutions
=======================

The fixes for all of the security bugs mentioned in this advisory
are included in the 2.16.6 and 2.18rc1 releases.  Upgrading to these
releases will protect installations from possible exploits of these
issues.

Full release downloads, patches to upgrade Bugzilla to 2.16.6 from
previous 2.16.x versions, and CVS upgrade instructions are available at:
~  http://www.bugzilla.org/download.html

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Vlad Dascalu
Laran Evans
Jouni Heikniemi
Felix Hieronymi
Byron Jones
Gervase Markham
Dave Miller
Gabriel Millerd
Joel Peshkin
Christian Reis



General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

- -30-

- --
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA8HpX0YeDAOcbS44RAphsAJ9czTa994vPqcCB5M6nmzi2qf1QUwCgnUiq
txjxqfRC+96Qm6whxshfM4s=
=RPO1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ