![]() ![]() If enabled, Bugzilla will force HTTPS (SSL) connections, by automatically redirecting any users who try to use a non-SSL connection.ĭefines the domain for Bugzilla cookies. ĭefines the fully qualified domain name and web server path for HTTPS (SSL) connections to this Bugzilla installation.įor example, if the Bugzilla main page is, the “sslbase” should be set to. This can be a fully qualified domain name, or a path relative to “urlbase”.įor example, if the “Bugzilla Configuration” page of the documentation is, set the “docs_urlbase” to. ĭefines path to the Bugzilla documentation. The address need not be that of a valid Bugzilla account.ĭefines the fully qualified domain name and web server path to this Bugzilla installation.įor example, if the Bugzilla query page is, the “urlbase” should be set to. Administrators should review this list before deploying a new Bugzilla installation.Įmail address of the person responsible for maintaining this Bugzilla installation. These parameters must be set before a new Bugzilla installation can be used. The core required parameters for any Bugzilla installation are set here. Following is a description of the different categories and important parameters within those categories. The parameters are divided into several categories, accessed via the menu on the left. If vulnerable, we encourage you to upgrade or patch your installation as soon as possible.Bugzilla is configured by changing various parameters, accessed from the “Parameters” link in the Administration page (the Administration page can be found by clicking the “Administration” link in the footer). To help organizations detect these vulnerabilities, Retina Network Security Scanner (RNSS) Audit Release version 2821 has two relevant audits:ģ5388 - Bugzilla < 4.0.15/4.2.11/4.4.6/4.5.6 Multiple Vulnerabilities - Remote 35391 - Bugzilla < 4.0.15/4.2.11/4.4.6/4.5.6 Multiple Vulnerabilities - XMLRPC For those organizations who are unable to upgrade to a newer version, the Bugzilla team has also released patches that can be found in the security advisory under the References URL for each vulnerability. All of these releases except for 4.5.6 have been tested by QA and protect against this vulnerability. We can tamper with the Real Name parameter to clobber the login_name hash value:Īllowing us access to all bugs as address this vulnerability, the Bugzilla team has released versions 4.0.15, 4.2.11, 4.4.6 and 4.5.6. If we log into a different account, no bugs are listed:īut if we are clever and create a new account: We can see, as a member of Local Guys, we have access to a few bugs: The following shows precisely how an attacker can exploit this vulnerability:Ī group, named Local Guys, has been set up for email addresses matching group is the only one with ‘view access’ for any bugs within TestProduct: What group the user joins depends on the group’s regex settings. When finalizing the creation of a user account, Bugzilla utilizes the login_name variable to automatically add the user to an existing group. ![]() The fix for this was to force a scalar value to be returned. Furthermore, if one of the values is a previously assigned key within the hash, such as login_name, it will be overwritten with the next value in the list, opening the door for potential exploitation. In the case of this vulnerability, if the ‘realname’ parameter contains multiple values (eg, realname=value1&realname=value2), cgi->param() returns a list. + realname => scalar $cgi->param('realname'),Ĭgi->param() is vulnerable because it is context-sensitive, meaning it can return a scalar or a list. Looking at the patched diff ( ), we can see the vulnerability lies within cgi->param(): This issue is currently being tracked as CVE-2014-1572. Perhaps the most interesting of these vulnerabilities, discovered by Netanel Rubin of Check Point Software Technologies, is one in which an attacker can automatically be added to certain groups that they were not intended to be a part of, essentially, elevating their privileges. Bugzilla, a very popular web-based bug-tracking system, has recently announced that multiple vulnerabilities have been discovered ( ). ![]()
0 Comments
Leave a Reply. |