Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2004-2022 Tenable Network Security, Inc.BUGZILLA_MULTIPLE_VULNS.NASL
HistoryJul 13, 2004 - 12:00 a.m.

Bugzilla < 2.16.6 / 2.18rc1 Multiple Vulnerabilities (XSS, SQLi, Priv Esc, more)

2004-07-1300:00:00
This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.
www.tenable.com
10
JSON

The remote Bugzilla bug tracking system, according to its version number, is vulnerable to various flaws :

  • An administrator may be able to execute arbitrary SQL commands on the remote host.

  • There are instances of information leaks that may let an attacker know the database password (under certain circumstances, 2.17.x only) or obtain the names of otherwise hidden products.

  • A user with grant membership privileges may escalate his privileges and belong to another group.

  • There is a cross-site scripting issue in the administrative web interface.

  • Users passwords may be embedded in URLs (2.17.x only).

  • Several information leaks exist that may allow users to determine the names of other users and non-users to obtain a list of products, including those that administrators might want to keep confidential.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(13635);
  script_version("1.31");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/07");

  script_cve_id(
    "CVE-2004-0702",
    "CVE-2004-0703",
    "CVE-2004-0704",
    "CVE-2004-0705",
    "CVE-2004-0706",
    "CVE-2004-0707"
  );
  script_bugtraq_id(10698);

  script_name(english:"Bugzilla < 2.16.6 / 2.18rc1 Multiple Vulnerabilities (XSS, SQLi, Priv Esc, more)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI application that suffers from
multiple flaws.");
  script_set_attribute(attribute:"description", value:
"The remote Bugzilla bug tracking system, according to its version
number, is vulnerable to various flaws :

- An administrator may be able to execute arbitrary SQL
    commands on
    the remote host.

- There are instances of information leaks that may let an
    attacker
    know the database password (under certain circumstances,
    2.17.x only)
    or obtain the names of otherwise hidden products.

- A user with grant membership privileges may escalate his
    privileges
    and belong to another group.

- There is a cross-site scripting issue in the
    administrative web
    interface.

- Users passwords may be embedded in URLs (2.17.x only).

- Several information leaks exist that may allow users to
    determine the
    names of other users and non-users to obtain a list of
    products,
    including those that administrators might want to keep
    confidential.");
  script_set_attribute(attribute:"see_also", value:"https://www.bugzilla.org/security/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to 2.16.6 or 2.20 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/02/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/13");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:bugzilla");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");

  script_dependencies("bugzilla_detect.nasl");
  script_require_keys("installed_sw/Bugzilla", "Settings/ParanoidReport");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

#
# The script code starts here
#

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

app = 'Bugzilla';
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80);

# Check the installed version.
install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

version = install['version'];
dir = install['path'];
install_loc = build_url(port:port, qs:dir+'/query.cgi');

if(ereg(pattern:"(1\..+|2\.(16\.[0-5]|1[789]\..+|2(0 *rc.*|1))[^0-9]*$)",
       string:version))
{
  set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  Version : ' + version +
      '\n  URL     : ' + install_loc;
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);
VendorProductVersionCPE
mozillabugzillacpe:/a:mozilla:bugzilla

Related

ubuntucve 3
cve 6
ubuntucve
ubuntucve
CVE-2004-0707
2004-07-27 00:00:00
CVE-2004-0704
2004-07-27 00:00:00
CVE-2004-0705
2004-07-27 00:00:00
cve
cve
CVE-2004-0707
2004-07-27 04:00:00
CVE-2004-0703
2004-07-27 04:00:00
CVE-2004-0706
2004-07-27 04:00:00
JSON
Related for BUGZILLA_MULTIPLE_VULNS.NASL
ubuntucve3cve6