Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 405477 (CVE-2012-0453)

Summary: <www-apps/bugzilla-4.0.5 : Cross-Site Request Forgery Vulnerability (CVE-2012-0453)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: jaak, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.bugzilla.org/security/4.0.4/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-02-23 20:03:36 UTC 
From secunia advisory:

Description
A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain bug data or execute certain administrative tasks by tricking a logged in user into visiting a malicious web site.

The vulnerability is reported in versions 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2.


Solution
Update to version 4.0.5 or 4.2.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-25 20:03:36 UTC 
CVE-2012-0453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0453):
  Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla
  4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows
  remote attackers to hijack the authentication of arbitrary users for
  requests that modify the product's installation via the XML-RPC API.
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2012-02-28 14:53:35 UTC 
4.0.5 and 4.2 are in gentoo-x86 now.
Comment 3 Agostino Sarubbo gentoo-dev 2012-02-29 13:03:19 UTC 
(In reply to comment #2)
> 4.0.5 and 4.2 are in gentoo-x86 now.

Thanks, fixed.