Vulnerabilities > CVE-2010-3172 - Code Injection vulnerability in Mozilla Bugzilla

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
high complexity
mozilla
CWE-94
nessus

Summary

CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.

Vulnerable Configurations

Part Description Count
Application
Mozilla
126

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201110-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201110-03 (Bugzilla: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Bugzilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could conduct cross-site scripting attacks, conduct script insertion and spoofing attacks, hijack the authentication of arbitrary users, inject arbitrary HTTP headers, obtain access to arbitrary accounts, disclose the existence of confidential groups and its names, or inject arbitrary e-mail headers. A local attacker could disclose the contents of temporarfy files for uploaded attachments. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id56445
    published2011-10-11
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56445
    titleGLSA-201110-03 : Bugzilla: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201110-03.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56445);
      script_version("1.8");
      script_cvs_date("Date: 2018/07/11 17:09:26");
    
      script_cve_id("CVE-2010-2761", "CVE-2010-3172", "CVE-2010-3764", "CVE-2010-4411", "CVE-2010-4567", "CVE-2010-4568", "CVE-2010-4569", "CVE-2010-4570", "CVE-2010-4572", "CVE-2011-0046", "CVE-2011-0048", "CVE-2011-2379", "CVE-2011-2380", "CVE-2011-2381", "CVE-2011-2976", "CVE-2011-2977", "CVE-2011-2978", "CVE-2011-2979");
      script_bugtraq_id(44618, 45145, 45982, 49042);
      script_xref(name:"GLSA", value:"201110-03");
    
      script_name(english:"GLSA-201110-03 : Bugzilla: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201110-03
    (Bugzilla: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Bugzilla. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could conduct cross-site scripting attacks, conduct
          script insertion and spoofing attacks, hijack the authentication of
          arbitrary users, inject arbitrary HTTP headers, obtain access to
          arbitrary accounts, disclose the existence of confidential groups and its
          names, or inject arbitrary e-mail headers.
        A local attacker could disclose the contents of temporarfy files for
          uploaded attachments.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201110-03"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Bugzilla users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=www-apps/bugzilla-3.6.6'
        NOTE: This is a legacy GLSA. Updates for all affected architectures are
          available since August 27, 2011. It is likely that your system is already
          no longer affected by this issue."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bugzilla");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/10/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-apps/bugzilla", unaffected:make_list("ge 3.6.6"), vulnerable:make_list("lt 3.6.6"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Bugzilla");
    }
    
  • NASL familyCGI abuses
    NASL idBUGZILLA_RESPONSE_SPLITTING.NASL
    descriptionThe version of Bugzilla hosted on the remote web server allows injection of arbitrary HTTP headers and content when Server Push is enabled in a browser. Note that the install also likely creates restricted reports in a known location and with predictable names, which can lead to a loss of information, although Nessus has not checked for this.
    last seen2020-06-01
    modified2020-06-02
    plugin id50599
    published2010-11-15
    reporterThis script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50599
    titleBugzilla Response Splitting
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50599);
      script_version("1.10");
      script_cvs_date("Date: 2018/11/28 22:47:41");
    
      script_cve_id("CVE-2010-3172");
      script_bugtraq_id(44618);
    
      script_name(english:"Bugzilla Response Splitting");
      script_summary(english:"Look for response splitting flaw.");
    
      script_set_attribute(attribute:"synopsis", value:"A web application is affected by a response splitting vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Bugzilla hosted on the remote web server allows
    injection of arbitrary HTTP headers and content when Server Push is
    enabled in a browser.
    
    Note that the install also likely creates restricted reports in a
    known location and with predictable names, which can lead to a loss
    of information, although Nessus has not checked for this."
      );
      script_set_attribute(attribute:"see_also", value:"https://www.bugzilla.org/security/3.2.8/");
      script_set_attribute(attribute:"solution", value:"Update to Bugzilla 3.2.9 / 3.4.9 / 3.6.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/11/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:bugzilla");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencie("bugzilla_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("installed_sw/Bugzilla");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    global_var	hd, output, attack_req1, attack_req2;
    
    hd = make_array(
    "Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language", "en-us;q=0.5,en;q=0.3",
    # The User-Agent is necessary to trigger the right behavior
    "User-Agent", "Mozilla/5.0 (X11; U; Linux i686 (x86_64); fr; rv:1.9.1.10) Gecko/20100504 Firefox/3.5.10",
    "Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7");
    
    function extract_boundaries(port, u)
    {
      local_var	w, loc, v, l, b, boundaries;
    
      w = http_send_recv3(method:"GET", item: u, port: port, add_headers: hd, exit_on_fail: 1);
      if (w[0] !~ "^HTTP/[0-9.]+ +200 ") return NULL;
    
      # No need to set follow_redirect, we have to issue a GET after that.
      w = http_send_recv3(method:"POST", item: u, port: port, exit_on_fail: 1,
        content_type: "application/x-www-form-urlencoded", add_headers: hd,
        data: "query_format=advanced&short_desc_type=allwordssubstr&short_desc=&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bug_id_type=anyexact&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=");
    
      attack_req1 = http_last_sent_request();
      if (w[0] =~ "^HTTP/[0-9.]+ 30[12] ")
      {
        loc = egrep (string: w[1], pattern:"^Location:", icase: 1);
        if (!loc) return NULL;
        v = eregmatch(string: chomp(loc), pattern: "^Location: *(https?://[^/]+(:[0-9]+)?)?(/.*)");
        if (isnull(v)) return NULL;
        u = v[3];
        w = http_send_recv3(method:"GET", item: u, port: port, exit_on_fail: 1, add_headers: hd);
        attack_req2 = http_last_sent_request();
      }
      if (w[0] !~ "^HTTP/[0-9.]+ +200 ") return NULL;
    
      boundaries = egrep(string: w[2], pattern: "^--------- =");
      if (!boundaries) return NULL;
    
      foreach b (split(boundaries, keep: 0))
      {
        v = eregmatch(string: b, pattern: "^--------- *=([^-]+(-+)$)");
        if (!isnull(v))
        {
          l = v[1];
          output = strstr(w[2], l);
          break;
        }
      }
      if (empty_or_null(l)) return NULL;
      return l;
    }
    
    app = 'Bugzilla';
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    port = get_http_port(default: 80, embedded: 0);
    
    install = get_single_install(
      app_name : app,
      port     : port,
      exit_if_unknown_ver : TRUE
    );
    
    dir = install['path'];
    version = install['version'];
    install_loc = build_url(port:port, qs:dir);
    
    u = dir + "/buglist.cgi?query_format=advanced";
    b = extract_boundaries(port: port, u: u);
    if (isnull(b)) exit(0, "Output is not multipart.");
    
    if (b =~ '_aaaaaaaaaa0(--)?')	# Default boundary
    {
      b2 = extract_boundaries(port: port, u: u);
      if (isnull(b2)) exit(1, "Output is not multipart.");
    
      if (b == b2)	# Constant boundary
      {
        security_report_v4(
          port       : port,
          severity   : SECURITY_WARNING,
          generic    : TRUE,
          line_limit : 5,
          request    : make_list(attack_req1, attack_req2),
          output     : output
        );
        exit(0);
      }
    }
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_PERL-CGI-SIMPLE-110107.NASL
    descriptionA HTTP header injection attack was fixed in perl-CGI-Simple. CVE-2010-2761 has been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id75708
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75708
    titleopenSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update perl-CGI-Simple-3785.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75708);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:41");
    
      script_cve_id("CVE-2010-2761", "CVE-2010-3172");
    
      script_name(english:"openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)");
      script_summary(english:"Check for the perl-CGI-Simple-3785 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A HTTP header injection attack was fixed in perl-CGI-Simple.
    CVE-2010-2761 has been assigned to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=657731"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-01/msg00009.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected perl-CGI-Simple package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-CGI-Simple");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/01/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.3", reference:"perl-CGI-Simple-1.112-7.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl-CGI-Simple");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_PERL-110112.NASL
    descriptionMultiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id53789
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53789
    titleopenSUSE Security Update : perl (openSUSE-SU-2011:0064-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update perl-3806.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(53789);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:41");
    
      script_cve_id("CVE-2010-2761", "CVE-2010-3172", "CVE-2010-4410", "CVE-2010-4411");
    
      script_name(english:"openSUSE Security Update : perl (openSUSE-SU-2011:0064-1)");
      script_summary(english:"Check for the perl-3806 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple header injection problems in the CGI module of perl have been
    fixed. They allowed to inject HTTP headers in responses.
    CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to
    this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=657343"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-01/msg00027.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected perl packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:perl-base-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.2", reference:"perl-5.10.0-72.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"perl-base-5.10.0-72.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"perl-32bit-5.10.0-72.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"perl-base-32bit-5.10.0-72.9.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17274.NASL
    descriptionThe following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50595
    published2010-11-15
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50595
    titleFedora 14 : bugzilla-3.6.3-1.fc14 (2010-17274)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2010-17274.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50595);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:32");
    
      script_cve_id("CVE-2010-3172", "CVE-2010-3764", "CVE-2010-4207", "CVE-2010-4208", "CVE-2010-4209");
      script_xref(name:"FEDORA", value:"2010-17274");
    
      script_name(english:"Fedora 14 : bugzilla-3.6.3-1.fc14 (2010-17274)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The following security issues have been discovered in Bugzilla :
    
      - There is a way to inject both headers and content to
        users, causing a serious Cross-Site Scripting
        vulnerability.
    
      - It was possible to see graphs from Old Charts even if
        you did not have access to a particular product, and you
        could browse a particular URL to see all product names.
    
      - YUI 2.8.1, which shipped with Bugzilla starting with
        3.7.x, contained a security vulnerability. The version
        of YUI shipped with Bugzilla 4.0rc1 and above has been
        updated to 2.8.2.
    
    These are tracked by CVE-2010-3764.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=649398"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=649404"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8cbeaf3c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bugzilla package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bugzilla");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/11/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC14", reference:"bugzilla-3.6.3-1.fc14")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bugzilla");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17235.NASL
    descriptionThe following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50594
    published2010-11-15
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50594
    titleFedora 12 : bugzilla-3.4.9-1.fc12 (2010-17235)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_PERL-CGI-SIMPLE-110107.NASL
    descriptionA HTTP header injection attack was fixed in perl-CGI-Simple. CVE-2010-2761 has been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id53790
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53790
    titleopenSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_PERL-7316.NASL
    descriptionMultiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. - have been assigned to this issue. (CVE-2010-2761 / CVE-2010-4410 / CVE-2010-4411)
    last seen2020-06-01
    modified2020-06-02
    plugin id51641
    published2011-01-21
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51641
    titleSuSE 10 Security Update : Perl (ZYPP Patch Number 7316)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_PERL-110112.NASL
    descriptionMultiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761 / CVE-2010-4410 / CVE-2010-4411 have been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id51630
    published2011-01-21
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51630
    titleSuSE 11.1 Security Update : perl (SAT Patch Number 3804)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_PERL-110112.NASL
    descriptionMultiple header injection problems in the CGI module of perl have been fixed. They allowed to inject HTTP headers in responses. CVE-2010-2761, CVE-2010-4410 and CVE-2010-4411 have been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id75705
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75705
    titleopenSUSE Security Update : perl (openSUSE-SU-2011:0064-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17280.NASL
    descriptionThe following security issues have been discovered in Bugzilla : - There is a way to inject both headers and content to users, causing a serious Cross-Site Scripting vulnerability. - It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. - YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2. These are tracked by CVE-2010-3764. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50596
    published2010-11-15
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50596
    titleFedora 13 : bugzilla-3.4.9-1.fc13 (2010-17280)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-237.NASL
    descriptionA new version of the CGI Perl module has been released to CPAN, which fixes several security bugs which directly affect Bugzilla (these two security bugs where first discovered as affecting Bugzilla, then identified as being bugs in CGI.pm itself). The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hard-coded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172 (CVE-2010-2761). CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172 (CVE-2010-4410). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90 The updated packages have been upgraded to perl-CGI 3.50 to solve these security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50609
    published2010-11-16
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50609
    titleMandriva Linux Security Advisory : perl-CGI (MDVSA-2010:237)