Vulnerabilities > CVE-2010-3172 - Code Injection vulnerability in Mozilla Bugzilla
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201110-03.NASL description The remote host is affected by the vulnerability described in GLSA-201110-03 (Bugzilla: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Bugzilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could conduct cross-site scripting attacks, conduct script insertion and spoofing attacks, hijack the authentication of arbitrary users, inject arbitrary HTTP headers, obtain access to arbitrary accounts, disclose the existence of confidential groups and its names, or inject arbitrary e-mail headers. A local attacker could disclose the contents of temporarfy files for uploaded attachments. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 56445 published 2011-10-11 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56445 title GLSA-201110-03 : Bugzilla: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201110-03. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(56445); script_version("1.8"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2010-2761", "CVE-2010-3172", "CVE-2010-3764", "CVE-2010-4411", "CVE-2010-4567", "CVE-2010-4568", "CVE-2010-4569", "CVE-2010-4570", "CVE-2010-4572", "CVE-2011-0046", "CVE-2011-0048", "CVE-2011-2379", "CVE-2011-2380", "CVE-2011-2381", "CVE-2011-2976", "CVE-2011-2977", "CVE-2011-2978", "CVE-2011-2979"); script_bugtraq_id(44618, 45145, 45982, 49042); script_xref(name:"GLSA", value:"201110-03"); script_name(english:"GLSA-201110-03 : Bugzilla: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201110-03 (Bugzilla: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Bugzilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could conduct cross-site scripting attacks, conduct script insertion and spoofing attacks, hijack the authentication of arbitrary users, inject arbitrary HTTP headers, obtain access to arbitrary accounts, disclose the existence of confidential groups and its names, or inject arbitrary e-mail headers. A local attacker could disclose the contents of temporarfy files for uploaded attachments. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201110-03" ); script_set_attribute( attribute:"solution", value: "All Bugzilla users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/bugzilla-3.6.6' NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 27, 2011. It is likely that your system is already no longer affected by this issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bugzilla"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/bugzilla", unaffected:make_list("ge 3.6.6"), vulnerable:make_list("lt 3.6.6"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Bugzilla"); }NASL family CGI abuses NASL id BUGZILLA_RESPONSE_SPLITTING.NASL description The version of Bugzilla hosted on the remote web server allows injection of arbitrary HTTP headers and content when Server Push is enabled in a browser. Note that the install also likely creates restricted reports in a known location and with predictable names, which can lead to a loss of information, although Nessus has not checked for this. last seen 2020-06-01 modified 2020-06-02 plugin id 50599 published 2010-11-15 reporter This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50599 title Bugzilla Response Splitting code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50599); script_version("1.10"); script_cvs_date("Date: 2018/11/28 22:47:41"); script_cve_id("CVE-2010-3172"); script_bugtraq_id(44618); script_name(english:"Bugzilla Response Splitting"); script_summary(english:"Look for response splitting flaw."); script_set_attribute(attribute:"synopsis", value:"A web application is affected by a response splitting vulnerability."); script_set_attribute(attribute:"description", value: "The version of Bugzilla hosted on the remote web server allows injection of arbitrary HTTP headers and content when Server Push is enabled in a browser. Note that the install also likely creates restricted reports in a known location and with predictable names, which can lead to a loss of information, although Nessus has not checked for this." ); script_set_attribute(attribute:"see_also", value:"https://www.bugzilla.org/security/3.2.8/"); script_set_attribute(attribute:"solution", value:"Update to Bugzilla 3.2.9 / 3.4.9 / 3.6.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:bugzilla"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencie("bugzilla_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("installed_sw/Bugzilla"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); global_var hd, output, attack_req1, attack_req2; hd = make_array( "Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language", "en-us;q=0.5,en;q=0.3", # The User-Agent is necessary to trigger the right behavior "User-Agent", "Mozilla/5.0 (X11; U; Linux i686 (x86_64); fr; rv:1.9.1.10) Gecko/20100504 Firefox/3.5.10", "Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7"); function extract_boundaries(port, u) { local_var w, loc, v, l, b, boundaries; w = http_send_recv3(method:"GET", item: u, port: port, add_headers: hd, exit_on_fail: 1); if (w[0] !~ "^HTTP/[0-9.]+ +200 ") return NULL; # No need to set follow_redirect, we have to issue a GET after that. w = http_send_recv3(method:"POST", item: u, port: port, exit_on_fail: 1, content_type: "application/x-www-form-urlencoded", add_headers: hd, data: "query_format=advanced&short_desc_type=allwordssubstr&short_desc=&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bug_id_type=anyexact&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0="); attack_req1 = http_last_sent_request(); if (w[0] =~ "^HTTP/[0-9.]+ 30[12] ") { loc = egrep (string: w[1], pattern:"^Location:", icase: 1); if (!loc) return NULL; v = eregmatch(string: chomp(loc), pattern: "^Location: *(https?://[^/]+(:[0-9]+)?)?(/.*)"); if (isnull(v)) return NULL; u = v[3]; w = http_send_recv3(method:"GET", item: u, port: port, exit_on_fail: 1, add_headers: hd); attack_req2 = http_last_sent_request(); } if (w[0] !~ "^HTTP/[0-9.]+ +200 ") return NULL; boundaries = egrep(string: w[2], pattern: "^--------- ="); if (!boundaries) return NULL; foreach b (split(boundaries, keep: 0)) { v = eregmatch(string: b, pattern: "^--------- *=([^-]+(-+)$)"); if (!isnull(v)) { l = v[1]; output = strstr(w[2], l); break; } } if (empty_or_null(l)) return NULL; return l; } app = 'Bugzilla'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default: 80, embedded: 0); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; install_loc = build_url(port:port, qs:dir); u = dir + "/buglist.cgi?query_format=advanced"; b = extract_boundaries(port: port, u: u); if (isnull(b)) exit(0, "Output is not multipart."); if (b =~ '_aaaaaaaaaa0(--)?') # Default boundary { b2 = extract_boundaries(port: port, u: u); if (isnull(b2)) exit(1, "Output is not multipart."); if (b == b2) # Constant boundary { security_report_v4( port : port, severity : SECURITY_WARNING, generic : TRUE, line_limit : 5, request : make_list(attack_req1, attack_req2), output : output ); exit(0); } } audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc);NASL family SuSE Local Security Checks NASL id SUSE_11_3_PERL-CGI-SIMPLE-110107.NASL description A HTTP header injection attack was fixed in perl-CGI-Simple. CVE-2010-2761 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 75708 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75708 title openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update perl-CGI-Simple-3785. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75708); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:41"); script_cve_id("CVE-2010-2761", "CVE-2010-3172"); script_name(english:"openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)"); script_summary(english:"Check for the perl-CGI-Simple-3785 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "A HTTP header injection attack was fixed in perl-CGI-Simple. CVE-2010-2761 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=657731" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-01/msg00009.html" ); script_set_attribute( attribute:"solution", value:"Update the affected perl-CGI-Simple package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-CGI-Simple"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.3", reference:"perl-CGI-Simple-1.112-7.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl-CGI-Simple"); }NASL family SuSE Local Security Checks NASL id SUSE_11_2_PERL-110112.NASL description Multiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53789 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53789 title openSUSE Security Update : perl (openSUSE-SU-2011:0064-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update perl-3806. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(53789); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:41"); script_cve_id("CVE-2010-2761", "CVE-2010-3172", "CVE-2010-4410", "CVE-2010-4411"); script_name(english:"openSUSE Security Update : perl (openSUSE-SU-2011:0064-1)"); script_summary(english:"Check for the perl-3806 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=657343" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-01/msg00027.html" ); script_set_attribute(attribute:"solution", value:"Update the affected perl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-base-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"perl-5.10.0-72.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"perl-base-5.10.0-72.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"perl-32bit-5.10.0-72.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"perl-base-32bit-5.10.0-72.9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl"); }NASL family Fedora Local Security Checks NASL id FEDORA_2010-17274.NASL description The following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50595 published 2010-11-15 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50595 title Fedora 14 : bugzilla-3.6.3-1.fc14 (2010-17274) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2010-17274. # include("compat.inc"); if (description) { script_id(50595); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:32"); script_cve_id("CVE-2010-3172", "CVE-2010-3764", "CVE-2010-4207", "CVE-2010-4208", "CVE-2010-4209"); script_xref(name:"FEDORA", value:"2010-17274"); script_name(english:"Fedora 14 : bugzilla-3.6.3-1.fc14 (2010-17274)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=649398" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=649404" ); # https://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8cbeaf3c" ); script_set_attribute( attribute:"solution", value:"Update the affected bugzilla package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bugzilla"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC14", reference:"bugzilla-3.6.3-1.fc14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bugzilla"); }NASL family Fedora Local Security Checks NASL id FEDORA_2010-17235.NASL description The following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50594 published 2010-11-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50594 title Fedora 12 : bugzilla-3.4.9-1.fc12 (2010-17235) NASL family SuSE Local Security Checks NASL id SUSE_11_2_PERL-CGI-SIMPLE-110107.NASL description A HTTP header injection attack was fixed in perl-CGI-Simple. CVE-2010-2761 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53790 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53790 title openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1) NASL family SuSE Local Security Checks NASL id SUSE_PERL-7316.NASL description Multiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. - have been assigned to this issue. (CVE-2010-2761 / CVE-2010-4410 / CVE-2010-4411) last seen 2020-06-01 modified 2020-06-02 plugin id 51641 published 2011-01-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51641 title SuSE 10 Security Update : Perl (ZYPP Patch Number 7316) NASL family SuSE Local Security Checks NASL id SUSE_11_PERL-110112.NASL description Multiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761 / CVE-2010-4410 / CVE-2010-4411 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 51630 published 2011-01-21 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51630 title SuSE 11.1 Security Update : perl (SAT Patch Number 3804) NASL family SuSE Local Security Checks NASL id SUSE_11_3_PERL-110112.NASL description Multiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 75705 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75705 title openSUSE Security Update : perl (openSUSE-SU-2011:0064-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-17280.NASL description The following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50596 published 2010-11-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50596 title Fedora 13 : bugzilla-3.4.9-1.fc13 (2010-17280) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-237.NASL description A new version of the CGI Perl module has been released to CPAN, which fixes several security bugs which directly affect Bugzilla (these two security bugs where first discovered as affecting Bugzilla, then identified as being bugs in CGI.pm itself). The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hard-coded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172 (CVE-2010-2761). CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172 (CVE-2010-4410). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been upgraded to perl-CGI 3.50 to solve these security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50609 published 2010-11-16 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50609 title Mandriva Linux Security Advisory : perl-CGI (MDVSA-2010:237)
References
- http://www.vupen.com/english/advisories/2010/2878
- http://www.bugzilla.org/security/3.2.8/
- https://bugzilla.mozilla.org/show_bug.cgi?id=600464
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html
- http://www.securitytracker.com/id?1024683
- http://secunia.com/advisories/42271
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html
- http://www.vupen.com/english/advisories/2010/2975