Peaches Posted April 2, 2009 Report Share Posted April 2, 2009 1 April 2009, 13:11 Security update for Bugzilla The developers of the Bugzilla open source bug tracking system have released versions 3.2.3 and 3.3.4 to close a cross-site request forgery hole. Bugzilla 3.2.3 is an update to the stable version of Bugzilla, while 3.3.4 is an update for the development branch. The cause of the problem was a vulnerability in the handling of attachment editing. It was found that the attachment.cgi script did not validate HTTP requests to ensure they actually came from Bugzilla. An attacker would have to have access to a Bugzilla installation and be able to upload an attachment, such as a patch, to be manipulated. For a successful attack, the attacker would need to get the victim to have a browser window open on Bugzilla and to open a malicious web site in another browser window. The solution has been to introduce a unpredictable token which is checked on every invocation of the attachment. The fix was not possible with earlier versions of Bugzilla as attachment timestamps were not available. The timestamps are used to generate and validate the token. See also: 3.22 and 3.3 Security Advisory, Bugzilla developers report. (djwm) Heise security - http://www.h-online.com/security/Security-...a--/news/112977 >>>>>>>>>>> Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.