Advisory: Bugzilla: Cross-Site Scripting in Chart Generator

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability
in Bugzilla's chart generator during a penetration test.  If attackers
can persuade users to click on a prepared link or redirected them to
such a link from an attacker-controlled website, they are able to run
arbitrary JavaScript code in the context of the Bugzilla installation's
domain.

Details
=======

Product: Bugzilla
Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
                   4.1.1 to 4.1.3
Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.bugzilla.org
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2012-001
Advisory Status: published
CVE: CVE-2011-3657
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657


Introduction
============

"Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect
Tracking Systems allow individual or groups of developers to keep track
of outstanding bugs in their product effectively. Most commercial
defect-tracking software vendors charge enormous licensing fees. Despite
being 'free', Bugzilla has many features its expensive counterparts
lack.  Consequently, Bugzilla has quickly become a favorite of thousands
of organizations across the globe."

(from Bugzilla's homepage)


More Details
============

The chart-generating script chart.cgi contains a method plot(), that
creates a new chart:

sub plot {
    validateWidthAndHeight();
    $vars->{'chart'} = new Bugzilla::Chart($cgi);

    my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));

    # Debugging PNGs is a pain; we need to be able to see the error messages
    if ($cgi->param('debug')) {
        print $cgi->header();
        $vars->{'chart'}->dump();
    }

    print $cgi->header($format->{'ctype'});
    disable_utf8() if ($format->{'ctype'} =~ /^image\//);

    $template->process($format->{'template'}, $vars)
      || ThrowTemplateError($template->error());
}

The function's code shows that there is a "debug" parameter, that, if
set, will make the function print out the variable that represents the
chart with the dump() method implemented in Chart.pm:

sub dump {
    my $self = shift;

    # Make sure we've read in our data
    my $data = $self->data;

    require Data::Dumper;
    print "<pre>Bugzilla::Chart object:\n";
    print Data::Dumper::Dumper($self);
    print "</pre>";
}

The dump() method then prints the given data structures without any
further checks. This includes user-defined variables sent as URL or HTTP
POST parameters, especially "label0". As the content of this variable is
not checked for malicious input, it can be used to inject arbitrary
JavaScript code into the debugging output. In fact, any variable of the
form "labelXXX", where "XXX" is an arbitrary number, will work. The
view() method in chart.cgi also invokes dump() when the "debug"
parameter is set:

sub view {
[...]
    # If we have having problems with bad data, we can set debug=1 to dump
    # the data structure.
    $chart->dump() if $cgi->param('debug');
[...]
}

After reporting the bug, the Bugzilla team discovered that almost the
same code is used in report.cgi, too, leading to the same problem:

# Problems with this CGI are often due to malformed data. Setting debug=1
# prints out both data structures.
if ($cgi->param('debug')) {
    require Data::Dumper;
    print "<pre>data hash:\n";
    print Data::Dumper::Dumper(%data) . "\n\n";
    print "data array:\n";
    print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
}

Triggering this XSS is more involved though. One attack vector would be
for example to create a Bugzilla account, set one's own real name to
contain JavaScript code, add a new bug and then create a report where
one of the axes is the assignee's real name. Adding the debug=1
parameter to the resulting image URL will then include the name in the
output, triggering the XSS.


Proof of Concept
================

The following URL generates a new chart with debugging output enabled,
containing JavaScript code in the "label0" parameter:

http://www.example.org/bugzilla/chart.cgi
  ?category=-All-
  &datefrom=
  &dateto=
  &label0=<script>alert("XSS")</script>
  &line0=1
  &name=1
  &subcategory=-All-
  &ctype=png
  &action=plot
  &width=600
  &height=350
  &debug=1

The next URL triggers an XSS if one's real name includes JavaScript
code, e.g. 'John Doe<script>alert("XSS")</script>':

http://www.example.org/bugzilla/report.cgi
  ?query_format=report-graph
  &x_axis_field=bug_status
  &x_labels_vertical=1
  &y_axis_field=assigned_to_realname
  &format=bar
  &ctype=png
  &action=plot
  &width=600
  &height=350
  &debug=1


Workaround
==========

Manually remove the debugging code from chart.cgi and report.cgi, as it
is not needed for Bugzilla to function properly.


Fix
===

Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1.


Security Risk
=============

The risk of this vulnerability is estimated to be high. Being able to
embed arbitrary JavaScript code allows attackers to completely
manipulate the website, add their own content and track all user
interaction.


History
=======

2011-10-17 Vulnerability identified
2011-10-25 Customer approved disclosure to vendor
2011-10-27 Vendor notified
2011-11-21 CVE number assigned
2011-12-28 Vendor released fixed version
2012-01-03 Advisory released


References
==========

http://www.bugzilla.org/security/3.4.12/
https://bugzilla.mozilla.org/show_bug.cgi?id=697699


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.