Bugzilla Chart Generator Cross Site Scripting

Type packetstorm
Reporter redteam-pentesting.de
Modified 2012-01-03T00:00:00


                                            `Advisory: Bugzilla: Cross-Site Scripting in Chart Generator  
RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability  
in Bugzilla's chart generator during a penetration test. If attackers  
can persuade users to click on a prepared link or redirected them to  
such a link from an attacker-controlled website, they are able to run  
arbitrary JavaScript code in the context of the Bugzilla installation's  
Product: Bugzilla  
Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,  
4.1.1 to 4.1.3  
Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1  
Vulnerability Type: Cross Site Scripting  
Security Risk: high  
Vendor URL: http://www.bugzilla.org  
Vendor Status: fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2012-001  
Advisory Status: published  
CVE: CVE-2011-3657  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657  
"Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect  
Tracking Systems allow individual or groups of developers to keep track  
of outstanding bugs in their product effectively. Most commercial  
defect-tracking software vendors charge enormous licensing fees. Despite  
being 'free', Bugzilla has many features its expensive counterparts  
lack. Consequently, Bugzilla has quickly become a favorite of thousands  
of organizations across the globe."  
(from Bugzilla's homepage)  
More Details  
The chart-generating script chart.cgi contains a method plot(), that  
creates a new chart:  
sub plot {  
$vars->{'chart'} = new Bugzilla::Chart($cgi);  
my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));  
# Debugging PNGs is a pain; we need to be able to see the error messages  
if ($cgi->param('debug')) {  
print $cgi->header();  
print $cgi->header($format->{'ctype'});  
disable_utf8() if ($format->{'ctype'} =~ /^image\//);  
$template->process($format->{'template'}, $vars)  
|| ThrowTemplateError($template->error());  
The function's code shows that there is a "debug" parameter, that, if  
set, will make the function print out the variable that represents the  
chart with the dump() method implemented in Chart.pm:  
sub dump {  
my $self = shift;  
# Make sure we've read in our data  
my $data = $self->data;  
require Data::Dumper;  
print "<pre>Bugzilla::Chart object:\n";  
print Data::Dumper::Dumper($self);  
print "</pre>";  
The dump() method then prints the given data structures without any  
further checks. This includes user-defined variables sent as URL or HTTP  
POST parameters, especially "label0". As the content of this variable is  
not checked for malicious input, it can be used to inject arbitrary  
JavaScript code into the debugging output. In fact, any variable of the  
form "labelXXX", where "XXX" is an arbitrary number, will work. The  
view() method in chart.cgi also invokes dump() when the "debug"  
parameter is set:  
sub view {  
# If we have having problems with bad data, we can set debug=1 to dump  
# the data structure.  
$chart->dump() if $cgi->param('debug');  
After reporting the bug, the Bugzilla team discovered that almost the  
same code is used in report.cgi, too, leading to the same problem:  
# Problems with this CGI are often due to malformed data. Setting debug=1  
# prints out both data structures.  
if ($cgi->param('debug')) {  
require Data::Dumper;  
print "<pre>data hash:\n";  
print Data::Dumper::Dumper(%data) . "\n\n";  
print "data array:\n";  
print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";  
Triggering this XSS is more involved though. One attack vector would be  
for example to create a Bugzilla account, set one's own real name to  
contain JavaScript code, add a new bug and then create a report where  
one of the axes is the assignee's real name. Adding the debug=1  
parameter to the resulting image URL will then include the name in the  
output, triggering the XSS.  
Proof of Concept  
The following URL generates a new chart with debugging output enabled,  
containing JavaScript code in the "label0" parameter:  
The next URL triggers an XSS if one's real name includes JavaScript  
code, e.g. 'John Doe<script>alert("XSS")</script>':  
Manually remove the debugging code from chart.cgi and report.cgi, as it  
is not needed for Bugzilla to function properly.  
Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1.  
Security Risk  
The risk of this vulnerability is estimated to be high. Being able to  
embed arbitrary JavaScript code allows attackers to completely  
manipulate the website, add their own content and track all user  
2011-10-17 Vulnerability identified  
2011-10-25 Customer approved disclosure to vendor  
2011-10-27 Vendor notified  
2011-11-21 CVE number assigned  
2011-12-28 Vendor released fixed version  
2012-01-03 Advisory released  
RedTeam Pentesting GmbH  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
More information about RedTeam Pentesting can be found at