A Bugzilla Security Advisory reports :
The following security issues have been discovered in Bugzilla :
Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in ‘Raw Unified’ mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment.
It is possible to determine whether or not certain group names exist while creating or updating bugs.
Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag.
If an attacker has access to a user’s session, he can modify that user’s email address without that user being notified of the change.
Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them.
Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack.
All affected installations are encouraged to upgrade as soon as possible.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(55847);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2011-2379", "CVE-2011-2380", "CVE-2011-2381", "CVE-2011-2976", "CVE-2011-2977", "CVE-2011-2978", "CVE-2011-2979");
script_name(english:"FreeBSD : bugzilla -- multiple vulnerabilities (dc8741b9-c5d5-11e0-8a8e-00151735203a)");
script_summary(english:"Checks for updated packages in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:
"The remote FreeBSD host is missing one or more security-related
updates."
);
script_set_attribute(
attribute:"description",
value:
"A Bugzilla Security Advisory reports :
The following security issues have been discovered in Bugzilla :
- Internet Explorer 8 and older, and Safari before 5.0.6 do content
sniffing when viewing a patch in 'Raw Unified' mode, which could
trigger a cross-site scripting attack due to the execution of
malicious code in the attachment.
- It is possible to determine whether or not certain group names exist
while creating or updating bugs.
- Attachment descriptions with a newline in them could lead to the
injection of crafted headers in email notifications sent to the
requestee or the requester when editing an attachment flag.
- If an attacker has access to a user's session, he can modify that
user's email address without that user being notified of the change.
- Temporary files for uploaded attachments are not deleted on Windows,
which could let a user with local access to the server read them.
- Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be
used to inject HTML code when viewing a bug report, leading to a
cross-site scripting attack.
All affected installations are encouraged to upgrade as soon as
possible."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=637981"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=653477"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=674497"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=657158"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=670868"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=660502"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.mozilla.org/show_bug.cgi?id=660053"
);
# https://vuxml.freebsd.org/freebsd/dc8741b9-c5d5-11e0-8a8e-00151735203a.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?65bad0b4"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:bugzilla");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/04");
script_set_attribute(attribute:"patch_publication_date", value:"2011/08/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/15");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"bugzilla>=2.4.*<3.6.6")) flag++;
if (pkg_test(save_report:TRUE, pkg:"bugzilla>=4.0.*<4.0.2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2379
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2976
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2978
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2979
www.nessus.org/u?65bad0b4
bugzilla.mozilla.org/show_bug.cgi?id=637981
bugzilla.mozilla.org/show_bug.cgi?id=653477
bugzilla.mozilla.org/show_bug.cgi?id=657158
bugzilla.mozilla.org/show_bug.cgi?id=660053
bugzilla.mozilla.org/show_bug.cgi?id=660502
bugzilla.mozilla.org/show_bug.cgi?id=670868
bugzilla.mozilla.org/show_bug.cgi?id=674497