Advisory: Bugzilla: Cross-Site Scripting in Chart Generator RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Bugzilla's chart generator during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the Bugzilla installation's domain. Details ======= Product: Bugzilla Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2, 4.1.1 to 4.1.3 Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1 Vulnerability Type: Cross Site Scripting Security Risk: high Vendor URL: http://www.bugzilla.org Vendor Status: fixed version released Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2012-001 Advisory Status: published CVE: CVE-2011-3657 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657 Introduction ============ "Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being 'free', Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe." (from Bugzilla's homepage) More Details ============ The chart-generating script chart.cgi contains a method plot(), that creates a new chart: sub plot { validateWidthAndHeight(); $vars->{'chart'} = new Bugzilla::Chart($cgi); my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype'))); # Debugging PNGs is a pain; we need to be able to see the error messages if ($cgi->param('debug')) { print $cgi->header(); $vars->{'chart'}->dump(); } print $cgi->header($format->{'ctype'}); disable_utf8() if ($format->{'ctype'} =~ /^image\//); $template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error()); } The function's code shows that there is a "debug" parameter, that, if set, will make the function print out the variable that represents the chart with the dump() method implemented in Chart.pm: sub dump { my $self = shift; # Make sure we've read in our data my $data = $self->data; require Data::Dumper; print "<pre>Bugzilla::Chart object:\n"; print Data::Dumper::Dumper($self); print "</pre>"; } The dump() method then prints the given data structures without any further checks. This includes user-defined variables sent as URL or HTTP POST parameters, especially "label0". As the content of this variable is not checked for malicious input, it can be used to inject arbitrary JavaScript code into the debugging output. In fact, any variable of the form "labelXXX", where "XXX" is an arbitrary number, will work. The view() method in chart.cgi also invokes dump() when the "debug" parameter is set: sub view { [...] # If we have having problems with bad data, we can set debug=1 to dump # the data structure. $chart->dump() if $cgi->param('debug'); [...] } After reporting the bug, the Bugzilla team discovered that almost the same code is used in report.cgi, too, leading to the same problem: # Problems with this CGI are often due to malformed data. Setting debug=1 # prints out both data structures. if ($cgi->param('debug')) { require Data::Dumper; print "<pre>data hash:\n"; print Data::Dumper::Dumper(%data) . "\n\n"; print "data array:\n"; print Data::Dumper::Dumper(@image_data) . "\n\n</pre>"; } Triggering this XSS is more involved though. One attack vector would be for example to create a Bugzilla account, set one's own real name to contain JavaScript code, add a new bug and then create a report where one of the axes is the assignee's real name. Adding the debug=1 parameter to the resulting image URL will then include the name in the output, triggering the XSS. Proof of Concept ================ The following URL generates a new chart with debugging output enabled, containing JavaScript code in the "label0" parameter: http://www.example.org/bugzilla/chart.cgi ?category=-All- &datefrom= &dateto= &label0=<script>alert("XSS")</script> &line0=1 &name=1 &subcategory=-All- &ctype=png &action=plot &width=600 &height=350 &debug=1 The next URL triggers an XSS if one's real name includes JavaScript code, e.g. 'John Doe<script>alert("XSS")</script>': http://www.example.org/bugzilla/report.cgi ?query_format=report-graph &x_axis_field=bug_status &x_labels_vertical=1 &y_axis_field=assigned_to_realname &format=bar &ctype=png &action=plot &width=600 &height=350 &debug=1 Workaround ========== Manually remove the debugging code from chart.cgi and report.cgi, as it is not needed for Bugzilla to function properly. Fix === Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1. Security Risk ============= The risk of this vulnerability is estimated to be high. Being able to embed arbitrary JavaScript code allows attackers to completely manipulate the website, add their own content and track all user interaction. History ======= 2011-10-17 Vulnerability identified 2011-10-25 Customer approved disclosure to vendor 2011-10-27 Vendor notified 2011-11-21 CVE number assigned 2011-12-28 Vendor released fixed version 2012-01-03 Advisory released References ========== http://www.bugzilla.org/security/3.4.12/ https://bugzilla.mozilla.org/show_bug.cgi?id=697699 RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.
Attachment:
signature.asc
Description: Digital signature