[rt-announce] IMPORTANT: security issue with 2.0.x WebRT permissions caching
jesse at bestpractical.com
Mon Sep 10 02:04:11 EDT 2001
RT 2.0.x, up to and including 2.0.6 has a possible security hole, whereby
if the ticket owner views a ticket and then another _privileged_ user looks
at the same ticket within the same server process, a variable scoping bug
may let the second user access data that he shouldn't be able to.
The fix is a simple change to RT::User::_HasRight, as appears in the diff
below. No matter what, this bug doesn't open your RT database up to end-user
requestors, because the web interface imposes an extra check for them.
RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I'm dropping into the source.
RCS file: /raid/cvsroot/rt/lib/RT/Attic/User.pm,v
retrieving revision 184.108.40.206
diff -r220.127.116.11 User.pm
< my ($Requestor, $Cc, $AdminCc);
> my ($IsRequestor, $IsCc, $IsAdminCc, $IsOwner);
http://www.bestpractical.com/products/rt -- Trouble Ticketing. Free.
More information about the Rt-announce