Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Bugzilla: Cross-Site Scripting in Chart Generator

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Bugzilla’s chart generator during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the Bugzilla installation’s domain.

Details

  • Product: Bugzilla
  • Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2, 4.1.1 to 4.1.3
  • Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1
  • Vulnerability Type: Cross Site Scripting
  • Security Risk: high
  • Vendor URL: http://www.bugzilla.org
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2012-001
  • Advisory Status: published
  • CVE: CVE-2011-3657
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657

Introduction

“Bugzilla is a ‘Defect Tracking System’ or ‘Bug-Tracking System’. Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Most commercial defect-tracking software vendors charge enormous licensing fees. Despite being ‘free’, Bugzilla has many features its expensive counterparts lack. Consequently, Bugzilla has quickly become a favorite of thousands of organizations across the globe.”

(from Bugzilla’s homepage)

More Details

The chart-generating script chart.cgi contains a method plot(), that creates a new chart:

sub plot {
    validateWidthAndHeight();
    $vars->{'chart'} = new Bugzilla::Chart($cgi);

    my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));

    # Debugging PNGs is a pain; we need to be able to see the error messages
    if ($cgi->param('debug')) {
        print $cgi->header();
        $vars->{'chart'}->dump();
    }

    print $cgi->header($format->{'ctype'});
    disable_utf8() if ($format->{'ctype'} =~ /^image\//);

    $template->process($format->{'template'}, $vars)
      || ThrowTemplateError($template->error());
}

The function’s code shows that there is a “debug” parameter, that, if set, will make the function print out the variable that represents the chart with the dump() method implemented in Chart.pm:

sub dump {
    my $self = shift;

    # Make sure we've read in our data
    my $data = $self->data;

    require Data::Dumper;
    print "<pre>Bugzilla::Chart object:\n";
    print Data::Dumper::Dumper($self);
    print "</pre>";
}

The dump() method then prints the given data structures without any further checks. This includes user-defined variables sent as URL or HTTP POST parameters, especially “label0”. As the content of this variable is not checked for malicious input, it can be used to inject arbitrary JavaScript code into the debugging output. In fact, any variable of the form “labelXXX”, where “XXX” is an arbitrary number, will work. The view() method in chart.cgi also invokes dump() when the “debug” parameter is set:

sub view {
[...]
    # If we have having problems with bad data, we can set debug=1 to dump
    # the data structure.
    $chart->dump() if $cgi->param('debug');
[...]
}

After reporting the bug, the Bugzilla team discovered that almost the same code is used in report.cgi, too, leading to the same problem:

# Problems with this CGI are often due to malformed data. Setting debug=1
# prints out both data structures.
if ($cgi->param('debug')) {
    require Data::Dumper;
    print "<pre>data hash:\n";
    print Data::Dumper::Dumper(%data) . "\n\n";
    print "data array:\n";
    print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
}

Triggering this XSS is more involved though. One attack vector would be for example to create a Bugzilla account, set one’s own real name to contain JavaScript code, add a new bug and then create a report where one of the axes is the assignee’s real name. Adding the debug=1 parameter to the resulting image URL will then include the name in the output, triggering the XSS.

Proof of Concept

The following URL generates a new chart with debugging output enabled, containing JavaScript code in the “label0” parameter:

http://www.example.org/bugzilla/chart.cgi
  ?category=-All-
  &datefrom=
  &dateto=
  &label0=<script>alert("XSS")</script>
  &line0=1
  &name=1
  &subcategory=-All-
  &ctype=png
  &action=plot
  &width=600
  &height=350
  &debug=1

The next URL triggers an XSS if one’s real name includes JavaScript code, e.g. John Doe<script>alert("XSS")</script>:

http://www.example.org/bugzilla/report.cgi
  ?query_format=report-graph
  &x_axis_field=bug_status
  &x_labels_vertical=1
  &y_axis_field=assigned_to_realname
  &format=bar
  &ctype=png
  &action=plot
  &width=600
  &height=350
  &debug=1

Workaround

Manually remove the debugging code from chart.cgi and report.cgi, as it is not needed for Bugzilla to function properly.

Fix

Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1.

Security Risk

The risk of this vulnerability is estimated to be high. Being able to embed arbitrary JavaScript code allows attackers to completely manipulate the website, add their own content and track all user interaction.

History

  • 2011-10-17 Vulnerability identified
  • 2011-10-25 Customer approved disclosure to vendor
  • 2011-10-27 Vendor notified
  • 2011-11-21 CVE number assigned
  • 2011-12-28 Vendor released fixed version
  • 2012-01-03 Advisory released

References

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.