Bugzilla quips.cgi COMMENTS Variable XSS

2002-11-09T00:00:00
ID OSVDB:6401
Type osvdb
Reporter OSVDB
Modified 2002-11-09T00:00:00

Description

Vulnerability Description

Bugzilla contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate COMMENT variables upon submission to the quips.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

There are two different ways it has been done. 2.4.x had a cgi script for quips. In 2.6.x, quips has moved out of its cgi and into a template.

The severity of this vulnerability is described as minor. Quips are not enabled by default.

In version 2.14.x /cvsroot/mozilla/webtools/bugzilla/quips.cgi if (open (COMMENTS, "<data/comments")) { while (<COMMENTS>) { print $,"<br>\n"; } close COMMENTS; } The fix for this would be to replace: print $,"<br>\n";

with: (which handle the html tags properly.) print html_quote($_),"<br>\n";

In vulnerable versions 2.16 and 2.16.1 /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl <ul> [% FOREACH quip = quips %] <li>[% quip %]</li> [% END %] </ul> [% ELSE %]

To fix this, replace: <li>[% quip %]</li>

with: (which handles the html tags correctly) <li>[% quip FILTER html %]</li>

Solution Description

Upgrade to version 2.17.1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

Apply vendor patch for version 2.14.4 and 2.16.1 For 2.17, perform a CVS update.

For Bugzilla 2.14.x and 2.16.x users, the quips are stored in the 'data/comments' file. Bugzilla 2.17.x stores quips in a 'quips' table in the database.

Stored quips should be checked for escaped html tags.

Short Description

Bugzilla contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate COMMENT variables upon submission to the quips.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.bugzilla.org Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103837886416560&w=2 ISS X-Force ID: 10707 Bugtraq ID: 6257