Security Bytes: Flaws fixed in Bugzilla

This installment of Security Bytes focuses on flaws in three different programs that have since been patched.

Bugzilla fixes
The Mozilla Foundation has fixed a variety of flaws in Bugzilla, a popular Web-based system software developers use to find and track vulnerabilities in their programs. Digital miscreants could exploit the flaws to disclose sensitive information, insert malicious script or conduct cross-site scripting attacks.

According to Mozilla's advisory, the problems are:

• Input passed to various fields and embedded in h1 and h2 tags is not properly sanitized before being returned to users. Attackers could exploit this to run malicious HTML and script code in a user's browser session.

   

• An error appears when attachments in "diff" mode are viewed. This allows users who are not members of "insidergroup" to read the descriptions of all attachments. Meanwhile, when exporting bugs to the XML format, the "deadline" field is also visible to users who are not members of the "timetrackinggroup" group. Attackers can exploit this to access sensitive information.

   

• Bugzilla allows users to perform certain sensitive actions via HTTP GET and POST requests without verifying the user's request properly. Attackers can exploit this to modify, delete, or create bugs.

   

• Input passed to "showdependencygraph.cgi" is not properly sanitized before being returned to users. Attackers can exploit this to run malicious HTML and script code in a user's browser session.

  Mozilla said Bugzilla users should update to versions 2.18.6, 2.20.3, 2.22.1, or 2.23.3.

  Cisco Wireless Location Appliance fixes
  Cisco Systems has offered a fix and workarounds for a flaw in its 2700 Series Wireless Location Appliances (WLA). Specifically, the flaw affects versions prior to 2.1.34.0.

  Cisco noted in its advisory that WLA software contains a default password for the "root" administrative account. A user who logs in using this username has complete control of the device. Cisco said the password is the same in all installations of the product prior to version 2.1.34.0 when shipped as part of a new product purchase, and that the vulnerability still exists on upgraded installations unless explicit steps are taken to change the password after the initial installation of the product.

  Cisco has fixed the flaw in versions 2.1.34.0 and later when shipped on new devices for initial installation of the WLA software, the vendor said.

  Meanwhile, Cisco said the flaw can be eliminated by logging in to the affected WLA and changing the default password for the administrative root account to a strong password chosen by the user. A reboot is not required for the new password to take effect, so network operations will not be disrupted, Cisco said.

  Clam AntiVirus fixes
  Clam AntiVirus users should upgrade to version 0.88.5 to correct a flaw attackers could exploit to cause a denial of service or heap-based buffer overflow and launch malicious code. The problems are:

   

• An out-of-bounds memory access error in the Compressed HTML Help unpacker in chmunpack.c. Attackers can exploit this to crash the virus scanning service via a specially crafted CHM file.

   

• An integer overflow error in rebuildpe.c when rebuilding PE files after unpacking. Attackers could exploit this to cause a heap-based buffer overflow via a specially crafted executable.

  An attacker who successfully exploits these issues could launch malicious code on the victim's computer system.