exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Bugzilla Chart Generator Cross Site Scripting

Bugzilla Chart Generator Cross Site Scripting
Posted Jan 3, 2012
Site redteam-pentesting.de

RedTeam Pentesting discovered a cross site scripting vulnerability in Bugzilla's chart generator during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the Bugzilla installation's domain. Versions affected include 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2 and 4.1.1 to 4.1.3.

tags | exploit, arbitrary, javascript, xss
advisories | CVE-2011-3657
SHA-256 | ca81bb38b09a55cb4defe19fe6466a61b7037842c123590640a2365869115e44

Bugzilla Chart Generator Cross Site Scripting

Change Mirror Download
Advisory: Bugzilla: Cross-Site Scripting in Chart Generator

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability
in Bugzilla's chart generator during a penetration test. If attackers
can persuade users to click on a prepared link or redirected them to
such a link from an attacker-controlled website, they are able to run
arbitrary JavaScript code in the context of the Bugzilla installation's


Product: Bugzilla
Affected Versions: 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2,
4.1.1 to 4.1.3
Fixed Versions: 3.4.13, 3.6.7, 4.0.3, 4.2rc1
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.bugzilla.org
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2012-001
Advisory Status: published
CVE: CVE-2011-3657
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3657


"Bugzilla is a 'Defect Tracking System' or 'Bug-Tracking System'. Defect
Tracking Systems allow individual or groups of developers to keep track
of outstanding bugs in their product effectively. Most commercial
defect-tracking software vendors charge enormous licensing fees. Despite
being 'free', Bugzilla has many features its expensive counterparts
lack. Consequently, Bugzilla has quickly become a favorite of thousands
of organizations across the globe."

(from Bugzilla's homepage)

More Details

The chart-generating script chart.cgi contains a method plot(), that
creates a new chart:

sub plot {
$vars->{'chart'} = new Bugzilla::Chart($cgi);

my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));

# Debugging PNGs is a pain; we need to be able to see the error messages
if ($cgi->param('debug')) {
print $cgi->header();

print $cgi->header($format->{'ctype'});
disable_utf8() if ($format->{'ctype'} =~ /^image\//);

$template->process($format->{'template'}, $vars)
|| ThrowTemplateError($template->error());

The function's code shows that there is a "debug" parameter, that, if
set, will make the function print out the variable that represents the
chart with the dump() method implemented in Chart.pm:

sub dump {
my $self = shift;

# Make sure we've read in our data
my $data = $self->data;

require Data::Dumper;
print "<pre>Bugzilla::Chart object:\n";
print Data::Dumper::Dumper($self);
print "</pre>";

The dump() method then prints the given data structures without any
further checks. This includes user-defined variables sent as URL or HTTP
POST parameters, especially "label0". As the content of this variable is
not checked for malicious input, it can be used to inject arbitrary
JavaScript code into the debugging output. In fact, any variable of the
form "labelXXX", where "XXX" is an arbitrary number, will work. The
view() method in chart.cgi also invokes dump() when the "debug"
parameter is set:

sub view {
# If we have having problems with bad data, we can set debug=1 to dump
# the data structure.
$chart->dump() if $cgi->param('debug');

After reporting the bug, the Bugzilla team discovered that almost the
same code is used in report.cgi, too, leading to the same problem:

# Problems with this CGI are often due to malformed data. Setting debug=1
# prints out both data structures.
if ($cgi->param('debug')) {
require Data::Dumper;
print "<pre>data hash:\n";
print Data::Dumper::Dumper(%data) . "\n\n";
print "data array:\n";
print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";

Triggering this XSS is more involved though. One attack vector would be
for example to create a Bugzilla account, set one's own real name to
contain JavaScript code, add a new bug and then create a report where
one of the axes is the assignee's real name. Adding the debug=1
parameter to the resulting image URL will then include the name in the
output, triggering the XSS.

Proof of Concept

The following URL generates a new chart with debugging output enabled,
containing JavaScript code in the "label0" parameter:


The next URL triggers an XSS if one's real name includes JavaScript
code, e.g. 'John Doe<script>alert("XSS")</script>':



Manually remove the debugging code from chart.cgi and report.cgi, as it
is not needed for Bugzilla to function properly.


Update to one of the following versions: 3.4.13, 3.6.7, 4.0.3 or 4.2rc1.

Security Risk

The risk of this vulnerability is estimated to be high. Being able to
embed arbitrary JavaScript code allows attackers to completely
manipulate the website, add their own content and track all user


2011-10-17 Vulnerability identified
2011-10-25 Customer approved disclosure to vendor
2011-10-27 Vendor notified
2011-11-21 CVE number assigned
2011-12-28 Vendor released fixed version
2012-01-03 Advisory released



RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By