COMMAND
Bugzilla
SYSTEMS AFFECTED
Bugzilla 2.10
PROBLEM
Following is based on a @stake Security Advisory A043001-1.
Bugzilla is a web-based bug (and enhancement) tracking engine
built over MySQL. It's often used for distributed OpenSource
development, but is used by corporations (both internally and
externally) as well. A bug in Bugzilla allows remote users who
have registered with shell characters in their email addresses to
execute commands on the web server as an unprivileged user.
The attack is to register as a user named
|somecommand;@yourdomain.com
(root access at yourdomain.com _may_ be required.) Then submit a
bug.
It is prudent to segment Bugzilla (or otherwise interactive web
sites) from code repository and download sites. This would
prevent this, or future bugs from compromising the source tree or
distribution binaries of an OpenSource or collaborative project.
Perl's system call acts differently based on the type of argument
given; if it's a list, it takes the first element as the program
and the rest as the arguments. If the argument is a scalar, it
feeds it thru sh for parsing. The Bugzilla guys got it right for
one of the system() calls (see below), but the rest are broken.
--- output from some grepping (greppage, greps?) ---
Broken (scalars):
post_bug.cgi:system("./processmail $id $::COOKIE{'Bugzilla_login'}");
process_bug.cgi: system("./processmail $num $::FORM{'who'}");
process_bug.cgi: system("./processmail $k $::FORM{'who'}");
Not Broken (list):
process_bug.cgi: system("./processmail", "-forcecc", $origCcString,
$id, $::FORM{'who'});
Additionally, it is possible to obtain the Bugzilla global
configuration code by pointing a web browser at
http://bug.zilla.site/globals.pl
The conf file contains some site-specific configuration directives
such as paths and global variables, the juiciest of which are the
database username and password.
This brings up an typical problem with perly web apps.
Programmers often define globals and configuration info in modules
or files containing bits of perl code, and 'use' or 'require'
them in their cgi. Typically, the perl scripts are named foo.cgi
so the web server configuration doesn't need to be modified (ala
AddHandler cgi-script .pl). The modules and such retain .pl or
.pm extensions, so the web server feeds them to a requestor as
plain text.
SOLUTION
If you can you should upgrade to the latest version of Bugzilla
2.12 which fixes these problems:
http://ftp.mozilla.org/pub/webtools/bugzilla-2.12.tar.gz
As a temporary solution, all Bugzilla system() calls should be
modified to pass arguments as an array rather than a scalar.
Also, on line 469 of defparams.pl, replace the regular expression
definition
q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:
with
q:^[\w-\./]+@[A-Za-z\d-\.]+$:
Please note that the new regular expression will not match all
valid RFC 822 email addresses.
This is a script that should fix the system call bugs - run it in
the bugzilla directory:
#!/usr/bin/perl
#
# bugzilla system() fixer -- run in bugzilla CGI directory
#
# Andrew Danforth <acd@atstake.com>, 2001
# note, grep and ed must be in path. Tested on Debian Linux.
foreach(`grep -n system\\( *.cgi`) {
my ($file, $line, $code) = split(/:/, $_, 3);
next if ($code =~ /,/);
if ($code !~ /system\(("[^"]+")\)/) {
print "couldn't find arguments to system for $file:$line\n";
next;
}
print "changing line $line for $file\n";
open ED, "|ed -s $file";
print ED $line, "c\n", $`, "system(", join('","', split(' ', $1)), ")",
$', ".\nw\nq\n";
close ED;
}