CVE-2002-0804
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:59
NMCOS    

[原文]Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname.


[CNNVD]Bugzilla多个安全漏洞(CNNVD-200208-198)

        
        Bugzilla是一款基于WEB的漏洞跟踪收集系统,使用了Perl和MySQL数据库,可运行在多种Unix和Linux操作系统下。
        Bugzilla存在多个漏洞,可导致远程攻击者利用这些漏洞获得产品信息或者未授权访问Bugzilla。
        Bugzilla存在多个漏洞如下:
        Bugzilla中的queryhelp.cgi脚本存在漏洞允许远程用户获得在Bugzilla数据库中设置为机密的产品信息。
        通过设置伪造的反向DNS可以导致用户绕过IP检查,如果Bugzilla WEB服务器被配置成允许反向解析DNS查询,攻击者可以控制一个IP的反向解析来劫持用户会话,而导致获得窃取用户认证的Cookie信息。
        当目录不存在时,Mozilla会尝试建立目录,但是,默认情况下,目录通常以全局可写权限建立。
        即使使用了'allowuserdeletion'选项,通过edituser.cgi脚本可能使任意用户使用任意权限编辑其他任意用户的资料而删除用户。
        Real Name字段没有正确充分过滤HTML标记,攻击者可以在此字段输入恶意HTML代码而产生跨站脚本执行攻击。
        当执行大量更改时,所有bug的组设置在大量更改中会设置成与第一个bug相同的组属性。
        Bugzilla没有正确处理某些浏览器的编码(如NetPositive),可导致产生各种问题,包括如删除bug上的组限制属性。
        由于shadow数据库同步操作不安全,在某些条件下,可以导致随机的输出用户的敏感数据。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:bugzilla:2.14Mozilla Bugzilla 2.14
cpe:/a:mozilla:bugzilla:2.16:rc1Mozilla Bugzilla 2.16 rc1
cpe:/a:mozilla:bugzilla:2.16Mozilla Bugzilla 2.16
cpe:/a:mozilla:bugzilla:2.14.1Mozilla Bugzilla 2.14.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0804
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0804
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-198
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
(VENDOR_ADVISORY)  BUGTRAQ  20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2
http://bugzilla.mozilla.org/show_bug.cgi?id=129466
(UNKNOWN)  CONFIRM  http://bugzilla.mozilla.org/show_bug.cgi?id=129466
http://www.securityfocus.com/bid/4964
(UNKNOWN)  BID  4964
http://www.redhat.com/support/errata/RHSA-2002-109.html
(UNKNOWN)  REDHAT  RHSA-2002:109
http://www.osvdb.org/6394
(UNKNOWN)  OSVDB  6394
http://www.iss.net/security_center/static/9301.php
(UNKNOWN)  XF  bugzilla-reversedns-hostname-spoof(9301)

- 漏洞信息

Bugzilla多个安全漏洞
高危 其他
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        Bugzilla是一款基于WEB的漏洞跟踪收集系统,使用了Perl和MySQL数据库,可运行在多种Unix和Linux操作系统下。
        Bugzilla存在多个漏洞,可导致远程攻击者利用这些漏洞获得产品信息或者未授权访问Bugzilla。
        Bugzilla存在多个漏洞如下:
        Bugzilla中的queryhelp.cgi脚本存在漏洞允许远程用户获得在Bugzilla数据库中设置为机密的产品信息。
        通过设置伪造的反向DNS可以导致用户绕过IP检查,如果Bugzilla WEB服务器被配置成允许反向解析DNS查询,攻击者可以控制一个IP的反向解析来劫持用户会话,而导致获得窃取用户认证的Cookie信息。
        当目录不存在时,Mozilla会尝试建立目录,但是,默认情况下,目录通常以全局可写权限建立。
        即使使用了'allowuserdeletion'选项,通过edituser.cgi脚本可能使任意用户使用任意权限编辑其他任意用户的资料而删除用户。
        Real Name字段没有正确充分过滤HTML标记,攻击者可以在此字段输入恶意HTML代码而产生跨站脚本执行攻击。
        当执行大量更改时,所有bug的组设置在大量更改中会设置成与第一个bug相同的组属性。
        Bugzilla没有正确处理某些浏览器的编码(如NetPositive),可导致产生各种问题,包括如删除bug上的组限制属性。
        由于shadow数据库同步操作不安全,在某些条件下,可以导致随机的输出用户的敏感数据。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 对Bugzilla系统实行访问控制,只允许可信用户访问。
        厂商补丁:
        Mozilla
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Mozilla Upgrade bugzilla-2.14.2.tar.gz
        
        http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.2.tar.gz

- 漏洞信息

6394
Bugzilla Reverse DNS Failure IP Check Bypass
Remote / Network Access Authentication Management, Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Bugzilla with Apache contains a flaw that may allow a malicious user to bypass authentication. The issue is triggered when Apache is configured to perform reverse DNS and a user controls a DNS to resolve to an allowed hostname or a pre-authenticated hostname. It is possible that the flaw may allow access to the bugzilla site resulting in a loss of confidentiality.

- 时间线

2002-06-08 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.14.2 or 2.16rc2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Bugzilla Security Vulnerabilities
Origin Validation Error 4964
Yes No
2002-06-08 12:00:00 2009-07-11 01:56:00
Vulnerability announced by David Miller <justdave@syndicomm.com>.

- 受影响的程序版本

Mozilla Bugzilla 2.14.1
Mozilla Bugzilla 2.14
- RedHat Linux 7.1
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0
- RedHat Linux 7.0
- RedHat Linux 7.0
- RedHat Linux 7.0
Mozilla Bugzilla 2.14.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0

- 不受影响的程序版本

Mozilla Bugzilla 2.14.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0

- 漏洞讨论

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems.

Under some circumstances, Bugzilla may leak information about confidential products. The queryhelp.cgi script does not observe any restrictions that may be set on the display of products in the Bugzilla database. Because of this, a user executing the script may be able to gain access to information about confidential products by executing the script.Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems.

Several problems have been discovered in Bugzilla that may allow remote users to gain information through information leakage, or unauthorized access to Bugzilla.

The queryhelp.cgi script distributed with Bugzilla could allow remote users to gain access to information products that set as confidential in the Bugzilla database.

An attacker may be able to hijack user sessions provided the attacker has reverse resolution authority for an IP address, and is able to steal a user's authentication cookie.

When a directory does not exist, Mozilla will attempt to create it. However, by default, the directory is usually created with world-writeable permissions.

It is possible for any user with permissions to edit any other user's details to delete any other user of the board through the edituser.cgi script.

The Real Names field does not filter HTML. An attacker may be able to input malicious HTML in the field, resulting in a cross-site scripting attack.

When performing a mass change, the groupset of all bugs are set to the groupset of the first bug in the mass change sequence.

Bugzilla did not handle encoding from some browsers, which could lead to unintended consequences, such as setting private or confidential information to a publicly displayed mode.

The syncing of the shadow database was done insecurely. Under some circumstances, this could output sensitive data to a user of Bugzilla at random.

- 漏洞利用

Many of these vulnerabilities may be exploited with a web browser.

- 解决方案

FreeBSD has released a Security Notice FreeBSD-SN-02:05. Users of FreeBSD systems are strongly urged to upgrade their ports tree to fix various reported issues. Further information can be found in the referenced Security Notice.

Fixes available:


Mozilla Bugzilla 2.14

Mozilla Bugzilla 2.14.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站