[BUGZILLA] Security Advisory - SQL injection, information leak
Bugzilla Security Advisory
November 2, 2003
Summary
=======
Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.
This advisory covers security bugs that have recently been discovered
and fixed in the Bugzilla code: two instances of arbitrary SQL injection
exploitable only by a privileged user, one instance where a privileged
user may retain privileges that should have been removed, and two
instances of unprivileged access to summaries of restricted data.
These bugs are not considered critical, since their impact is quite
limited. Nevertheless, all Bugzilla installations are advised to upgrade
to the latest stable version of Bugzilla, 2.16.4, which was released
today.
Development snapshots prior to version 2.17.5 are also affected, so if
you are using a development snapshot, you should obtain a newer one
(2.17.5) or use CVS to update.
Vulnerability Details
=====================
Issue 1
-------
Class: SQL injection (by privileged user only)
Versions: 2.16.3 and earlier (2.17.1 and up are not affected)
Description: A user with 'editproducts' privileges (i.e. usually an
administrator) can select arbitrary SQL to be run by the
nightly statistics cron job (collectstats.pl), by giving a
product a special name.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=214290
Issue 2
-------
Class: SQL injection (by privileged user only)
Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4
Description: A user with 'editkeywords' privileges (i.e. usually an
administrator) can inject arbitrary SQL via the URL used to
edit an existing keyword.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219044
Issue 3
-------
Class: Privilege mishandling
Versions: 2.16.3 and earlier (2.17.1 and up are not affected)
Description: When deleting products and the 'usebuggroups' parameter is
on, the privilege which allows someone to add people to the
group which is being deleted does not get removed, allowing
people with that privilege to get that privilege for the
next group that is created which reuses that group ID.
Note that this only allows someone who had been granted
privileges in the past to retain them.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=219690
Issue 4
-------
Class: Information leak
Versions: 2.16.3 and earlier, 2.17.1 through 2.17.4
Description: If you know the email address of someone who has voted on a
secure bug, you can access the summary of that bug even if
you do not have sufficient permissions to view the bug
itself.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209376
Issue 5
-------
Class: Information leak
Versions: 2.17.3 and 2.17.4 only
Description: Under some circumstances, a user can obtain component
descriptions for a product to which he does not normally
have access.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=209742
Vulnerability Solutions
=======================
The fixes for all of the security bugs mentioned in this advisory
are included in the 2.16.4 and 2.17.5 releases. Upgrading to these
releases will protect installations from these issues.
Full release downloads, patches to upgrade Bugzilla to 2.16.4 from
previous 2.16.x verions, and CVS upgrade instructions are available at:
http://www.bugzilla.org/download.html
Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating and advising us of these situations:
Bradley Baetz - for discovering and fixing the issue with voting on a
secure bug
Ryan Cleary - for discovering the issue with component descriptions of
secured products
Andrew Eross - for discovering the SQL injection in collectstats.pl
Vlad Dascalu - for discovering the SQL injection in editkeywords.cgi
Stefan Mayr - for discovering and fixing the privilege deletion issue
when deleting products
General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.
-30-
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/