The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.

According to its banner, the version of Bugzilla installed on the remote host contains a flaw in its callback APIs in which data is not properly sanitized before being submitted to the 'jsonrpc.cgi' script.
Using a specially crafted OBJECT element with SWF content, a remote attacker could perform a cross-site request forgery attack. This could cause the disclosure of sensitive bug information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated bugzilla packages fix security vulnerabilities :

Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API (CVE-2014-1546).

This version of bugzilla includes a security fix for CVE-2014-1546.

With previous versions, an attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A Bugzilla Security Advisory reports : Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

The remote web server is hosting Bugzilla, a web-based bug tracking application. Versions of Bugzilla 3.7.x / 4.x prior to 4.0.14 / 4.2.10 / 4.4.5 / 4.5.5 are potentially exposed to a flaw as data from callback APIs is not properly sanitized before being submitted to the JSONP endpoint, 'jsonrpc.cgi'. With a specially crafted OBJECT element with SWF content satisfying the character set requirements of a callback API, a context-dependent attacker can perform a cross-site request forgery (CSRF) attack causing the victim to disclose sensitive bug information.

ID	Name	Product	Family	Severity
77779	Bugzilla < 4.0.14 / 4.2.10 / 4.4.5 / 4.5.5 CSRF Vulnerability	Nessus	CGI abuses	medium
77648	Mandriva Linux Security Advisory : bugzilla (MDVSA-2014:169)	Nessus	Mandriva Local Security Checks	medium
77069	Fedora 19 : bugzilla-4.2.10-1.fc19 (2014-8919)	Nessus	Fedora Local Security Checks	medium
76983	Fedora 20 : bugzilla-4.2.10-1.fc20 (2014-8920)	Nessus	Fedora Local Security Checks	medium
76854	FreeBSD : bugzilla -- Cross Site Request Forgery (9defb2d6-1404-11e4-8cae-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium
8579	Bugzilla 3.7.x < 4.0.14 / 4.2.10 / 4.4.5 / 4.5.5 Cross-Site Request Forgery	Nessus Network Monitor	CGI	low

Detections

Analytics

CVE-2014-1546

high

Tenable Plugins

medium

medium

medium

medium

medium

low