Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Moderately Critical Bugzilla Bugs Squashed



 By: Ryan Naraine
2006-10-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Flaws in the open-source bug-tracking tool puts users at risk of cross-site scripting, script injection and data manipulation attacks.

Multiple security flaws in Bugzilla could put users of the software defect tracking software at risk of cross-site scripting, data manipulation and data exposure attacks.

According to a warning from the open-source Bugzilla project, users should immediately upgrade to versions 2.18.6, 2.20.3, 2.22.1 or 2.23.3 to minimize the risk of malicious attacks.

Security alerts aggregator Secunia rates the vulnerabilities as "moderately critical."

Resource Library:

The most serious vulnerability occurs because Bugzilla does not properly sanitize various fields when embedded in certain HTML headline tags.

"This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site," Secunia warned.

Read more here about a Firefox flaw warning hoax.

A second error that happens when attachments in "diff" mode are viewed could let unauthenticated users read the descriptions of all attachments.

Additionally, when exporting bugs to the XML format, the "deadline" field is also visible for users, who are not members of the "timetrackinggroup" group. This can be exploited to gain knowledge of potentially sensitive information, the company explained.

Unpatched versions of Bugzilla also allow users to perform certain sensitive actions via HTTP GET and POST requests without verifying the users request properly. This can be exploited to modify, delete or create bugs.

Bugzilla is a free, Web-based tool used by software developers to track code bugs and defects. It was originally developed by the Mozilla Foundation and is widely used in the open-source community.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Moderately Critical Bugzilla Bugs Squashed
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8s;>Ӯc*d[5e[KU-EB!)}9?߸xӅ|)W-`H D?;;~$rȅklJv';D;;?!P|oS/92p=z#m)>M3ȩ 55vGl&J~ AT{j x5u]ٚ#7Gp2 X -$0kzZ'jZw6(CLep ZwO~Vh⻶eMaoN w"Ntod9 Q6}RTR/F<wk FqB {.Yu^?>خq 8]b'*#O^3lְB1BE/t#wJ;rMG9"QcO$աUqLJ^tf>D>8z v v=rJ53' =K;O=kN]w=jP?b@2hưaqpo! d4F# 5#Ϟ~b[>4:]dU~7@7nG;s}2w .wQKvT6'`>6)L|@ɤ:أz/˺7h4öۼCٰo4TiUE9(TR8+{1{߶ك̝ w֨n>=Wʪ)J{>ʑGAnkp[J^׵Vh]w|ir m + o$&7 JDTRB`$" Pc@GG$/@B .oVSZV@+(H.#I-bzO``% pbQUrngSK׺nw[::;nN|bP+Mz(#1hؕ 3Dz 7'7ϗ7MtqKER"1t9}jqo]}>. !=Ow| nr2GrI/]o$$̛cM|`I`6M2X~`]NSjVmT7o`H2 &4 .άzp-@lo K(:H)5?&9gMil&XJp7Ӕ>`I˪2TI0%mQq:]R$y3DDȝ g/3/r.i }th8yWҽTws iغt49;OesJVd];3E֏FZTpx3j׭cҽ\v;6O[xXaZ`A). 8G]77JG_)Ab/*5U9-|Qnl :2X bX2nҡ>O>΂IutO|BMk6tI< YC#ʠ:ڴ{\gVc4!D&Ma^h>[W <{ } 0&ԟsZ LP"AЂMz>tT9]|2Zw9ܻ-(; hk=`DMWtCP{DM}PCn@ }S(|`OA=X9;ݲeǀxԜЇ)u`Hd˕N },@H>'hI#r B!,`@n%`9 P􎄰R1iJLO:Tt{B#}Tz(΍5aGe-n^ $ d3CCd0U Q򍜈<"`&ˑea*0pRx5Vn`oʁUt@ބph,a8Bdp=YIcL#pEQY hAsq=7߄s w0@aEдBk`LAqyc]@k9wt<͉qlc9_A:\!4Lh,G7v9>5TUX&t3tTkyn='.0|jjiS w$mrn)TЛv!39n! hW.Y 2cxRUyRt+[Y3R7)\IYbT9XScXM`Dw ,z?v'm/n$1N`V|\vΖuV"kͲG{_No6Ҟ~iZZ @-ei la-׾0^Ԣ(-a|u(" !tsaŴ,B /0<:Bb&^&dhQ> `5}sö V/U 鏡LX:Z^Ϛe+ L 24 0`"w`b\0 N`N#w Asmt~o0]|:; 0T#}0 t1)L>Fװ HZU{)u&Hx#e\6V,'Urqҝa|ia=i- ;eSKZa6O[-j+Ao{LrCm0 "}˞CO1W]PZ`!?RP$G q/#Y /9m0ܡk}6bDugNPt>-D.,g \jpb Zqq&~~~0,\y.Kg>f}`+|\sgI оGhʰeXh`Zzq#JD%hXPr&S4Z0@cy) :6. 2H#60/`k .^@>%@P-W0"FcK鬡cKU1SOm{hCy-X\>(D7i;~Ò?DBRcK=ܴ>?CU^oV8;OfjZ(T+16DZUT9(J{}|3??=ehČ?@>Oӏ7[fi^8~^L}6݂ /]rϙ,|: '312&s!AZNЎ@OeƚR*%1Ps0]((*H3jנj@V_w,4 )3%NJt ҹD\U4UudԻebՈ=G:`LEWFڬ,pZu.eOS)&Vt u| `_snM<=W֔H0  d5}u*ZW}\bY LjB:Gd@+`ЎT8^GwdV}P@K&nƚ6 ˳iLZ޼~WLoG;3N/dZp|aP;E9Ȳ5(_3BnuItLeb`lby@sԵлMsls g4s'DcC6jM+'A&GlEմZY+->Q} 2!`O ~o'A΁MO0="c^f.2|YyјL#i}SU>הю"eƬɢ(6CiB/%ex.]c>/$RQr+T΀4OxR,WEzxLa-XPjBD*>"MC/ ސOZ[GCn$}!W>U PU(V $yVp8s\!n?eVVW`j-^2ǽi n.E[ 4˷ʨKV͖K%4e3/-GX<y=baOrKz]w޼\8#̞ÒfDs, .q,: -e4Cnƭj՚*ӪV$,< 7C{dG,-LGI4n:&.2O%ss]5 ⿁OnΏ;ܝ>FIn:H墦AkR;qG+a>&ra&: G ɢ\' WeRU8H3Az' vBq]6ps^a?vq-49I(4Ԉ xϰL' eVqm?3 cSwWwvZU} A D@";n}ߵ?% ?S-Ѝ18gMX1BNrE])7>)hlsٓNxǏG:vݹ筃b> gY/JЏWKӇ-5.Ї_qt@`QXj_4O[b8 !6,5ރ `i0Bjx@C?rfWϊ۫qTц['0F@q Ɂvz΅sѼ>m_/~u;9o_dcxΕx\R}zrU8+Dyy|ly\3amF 'LkdS+H[3 RX:ǭkN,WZXKR!}&>CeQ6h٦;+^+,kĚ_f·?!|J'<AP{ r P)'$ yktb;-38Ǟw=hh!腘:Uaҏ"(BR.IHO5xv:\79Ql6w FWE'k+{--'2}m!џ.`n eIbQ+f+I/sGHy 8/w`PIB882 7{KP .MuRo2MDYk.NEm{6-~8 cha(!t$-zdeQnKl?aRLɔ&.ϕ|Lhk'IZV6X(4%!44AԌObCYF*#7' ҽj^npVPto6_xvIt%1sgKe  KQk Qb)-#*VZRZ-Vyʏxi9: a!]'gy/wгOZEb۝c3cE)vv6x}y:b1 ݮne)ܱj{操~;Oj9vЛ}NFԢn q;X9z}H{O{,j8;_?P.zZTrcܩXn ˳0q!~xGM{@uS棏g 95Ny Z:wvk},daSn/?~vsW} ?-l-8t砞TϏ$ɘNFBAWU-u*lko rY9sJeWVr;d,'Qd1׭ 0dƛqKg=#tzo=ȥGֻݥq?*~/w7]f+wuB%u-JKz9nwhp;D%yȁqQ#y6K`#jv.b_;+&bi4W;Tn{dskH:>dO1\j@m鼳~2O> AYVrlK9Grs&cx2HB%7˶˷Fp7*gcc3/F#%gOSϱ6m @|Րp/hZ1i`jcZ/p8|#؈f/'Ɏ?7e{cA|3 e\wcRο+ wXR|  .i{\naan0^> <"t(u߂KݤCƧˁUm]˭L87RX16!KmfYMxLdtm<-uC>^Қ1UU1\,4ԲgC2 ˶ :;xivODaq:TbC箋TŽ3f{zGLgcg MٴޘNȋx&WT2TO(%S&I'ҽgH>?^ G;ɒ*2G.!1v}iː{8Pcˬ|iLDx@F#cA Hgʂa oWH\JCym"[)o-bV%^Ǯ&VcKnU0Is/!lu{#}%spxRi&gBdfou.fCs͗a>;  ơUA6q!"A$1Dق (Ij< iR4t &NY`Pމ0sTXmuEcf%=1Nip!:AFdSD%:nJ!YZ&!sYtƯ]V-Bs>e~Bz 24Q76!%^t,3==cMeWXeSG xuSSP@9OJɯnHY/-^X CI04334/i$ /D2)'>0H:ap_i!V^NEtݺ:x4EUC ˫+걛$G-`1?k7s+׶TՊ^So&c-l` $l-%zX+߈2_g^MC㓿qEZzۮh ϗ]㖭'RK,ŘЮmG1!|Ϭ|v w~Agכ~ҟ6l-U<M}R{c*% tE]qa|=$v20D8$<!Az{=.B4l=ƶo|kr7+`]Hm_9&hl=U4xwmgo6u8FبڷvFcos,{a\ y}dՏgXg.efIo퍍KoZOFo1Gcq ֙#+%E:>Z A H>ۡ 9jK[!!3jЍk'jlG9TA|h#R/Fw0t׏m\d%,4lt5`oа|B"# hSpizlïnBif-e։5V(4Ts'5s+x$(0P7z!2|t\Zbowwv]gqsZ;|O_[/Em/)5 Dxv~}l Lf5.eãEzmOӪ{ eokUZWqi6-sO?S{6޶>qñŃ4F+ Իa@amIYtfSxCm fi LuM||#o5?'.&cu,,!NtɚL]/НǝSPE\y| 㷈!PS]x?*ǝ@ Š& ~11FVVrc[~tzUQ1#cpX)LHjXEB)ȁ;] )TmSOǝ07hsîZKN(aږNJ$$&Jjidך$F➱tyϽgDG>l갺Xo\a0_LV&gdB8AXJrXD Ň>ɂ "K& yLn$?87J6ǜMEfA儷ƅT9Us\: G ]J1xy[ߏN֘0HtL'f<::BMEWBhfx#-F5o>|VŠx!Vy ?m+=umvX5n{u3%zi<"} ޼vgO%ܬXMܮrGn܀g!E8acMG⾰p#C;@mj|)5,\  Փ,,QkOu$ζy1K%XS#o=gi`TX.,|(ýA PxxX B{ɯ'B#sJ l9 sXxMw5=8e1!8X<k = m5H(%LfNt10۱px&-Rý<HPY#/V7ka5,9)1i\d3+nіTm}yVң]F bh ə莥c~67mjg~R߈uXb'ʵxd=-z> 1<8DvZ3ZNppu!.N-<_!ƘiF0#  Ĉ bU&wܠ~z*ڟOe^n3nZU}GКXp/J $mm@+>D o'=& )<]С reOJIg8>>|6ڈy빟i$YVcMr'7LӦ2K= o~{@\r 8r,-D|tz['U}H?Km1Phb#3!( Qsrٺ鞷zu=<xJ9aQqs#o}N)2 &;5g4>a:$.+JAW d΂  [z;wкlUᜭ#+^bʑ&,͏֨n>]_vR$e1 h0*pgj9V KXM 2@: xE ߍ=]:N0%`\A~cs=qbZ!Ř!b`"^r {4bwڜND6_,5h#_:+?-P Y G3wУ4ϓo>~2cD^S|??'~?MHb'u~"gvK .X`SYej xpx}2=cܕeZ(`bd,ywJw`C'[EY|ob{` ?ET&nNKM ٌb$!%H$`x=9`6D2߰bJU(IhRW|W \gޕa)豊 ʷ7Ͳg2qӅ&JZ `xzNrdhz߃;_Ч6#ko;}sWrҹ&Mrrju\yga[+N|Uw;_:W_Oڗe/8<j5nuZ6ZNA|vuQ59sעOmj7^>s.Mp4ħyG:\#4[E9yF'(Q+Q~ ˏ@͌w2ʑ{ˏǭ#(?Z_~9)4vq^_>5пvF?Ӿ(3k|fy|v_d_d^ds E/>/2">G/3ʿdAYFߠoP~Q{1?s w1'? ɐ/W@Wq_e sA?]7c]7c=^X_s}}/Y0/(*ɠh& K:ICP.Np3Ka /ޯ?e$@yJɠ2,c2\.2kܿ2~62Am_u aqʍz^S_xʮ[k8VҮap_/_xi +{JO2 r hxVydb bye?VPw;]SҤ]j. {%])r-XѧZ}5_9x=U26C{":^iQUޜb>v#ygx&@_]?&7S.pqk;ُϋGkwՕq@Afп~%k"N^xylߣx߅ oBgUN?j{$oqAzGzY)W8#~uʞ^e*8uߚLYu8 % ~xY&ƀY8'}R?аs317xz =sΈVf߰- t6EM++J9wWrHk҂=""CQL`FTMVYI2ZYr(RB4|OӴW)Y7tSsc<{+4аY-P=^?FGG0>u̺@ŗ1 {7/TMu// {_A1Cf@2b'`{z5(h3o6>&m\ʠaCao/XbKZ;c`\G;o= 3gjY }fy0\9Khw `z4}z<8J)g,#[LotO\lHτ[4п}S%(uLp(}'eC k`V{ϙer-#2O,5U,%w|ICNɱF?] soR:=d<0 ۏVs.ҡY280~.6{Ťe @ v[/`51lx)f\c7^bv]]32r }J 1)NH6틷'YAv3&Fdu#aqq%f~7;`ېœ wnj*\8Ï }CQ=;d܆,dRvԙ%JO_C%uocOaItW\&QTł霰)#,|HTP}HGm:Zd_L7W`@0Y~l+>Bыp`HzByvH :BVF&V3v,=GIjg_5 BF3q< Y8T"czGmw9= S%Juf*HrFx*D ,AP6vo>#c? `vwb9c˖  Mm+#84B>ҼlQ޺%qm.; +CO1֪TU| [B1қqmj_U`7'#~"3VœA6`0CF3 ܀}olI OyݟG/7~~ r@c[$ߟ2"L) ԦLw)+],byY3E` pCQ!*m^x9N@xmѕhWɬQt6-/#^Dc`Wpۂ{S-Urcd+{f:ePEXt6Mf_X (K# L{EN8u vKѪ V7"!a^o1n%/ـ&@s=V*.v&e6r!*l XGڦZMQa[~nb=x]g¶,yX]F\'X3'5i3|6,lp/>cwq`2]g4^l,eLWaYX&5ęV3/O CׅѰ0 L;,lyEG%RRNCb 0F #:`2 1>,G h<˜4W6YĶqytc~ږ10#ŸErN,ŀjV0U9sm j׺W6xozc|>[zwD,5b;tP9ɓOz0 s͙!c׆)a+c~,Km)3 {ς ixv4<@Tf_E@G7`yUĄfٵ\RJnrmm#{J >dS17@j0\|H d[\O^مu&v3k/YH~>  r*r*]xWI"cXM?#:T+ + Sq}=o-]z,sٓN<|;XYx ~']f(FRqO\|jWu;1XغqKGN;/4hI:VH]5ۗɊxYο`*XE Cl⍿C014?ZSˬZY$IL#[ov[b$- U.IM)V ]jq۩ QB6lS2u̹D/4^JB\qrH'r0>dv=̭q;f¦[HHdžIkckjg1-