[rt-announce] IMPORTANT: security issue with 2.0.x WebRT permissions caching

Jesse Vincent jesse at bestpractical.com
Mon Sep 10 02:04:11 EDT 2001

RT 2.0.x, up to and including 2.0.6 has a possible security hole, whereby
if the ticket owner views a ticket and then another _privileged_ user looks
at the same ticket within the same server process, a variable scoping bug
may let the second user access data that he shouldn't be able to.

The fix is a simple change to RT::User::_HasRight, as appears in the diff 
below.  No matter what, this bug doesn't open your RT database up to end-user 
requestors, because the web interface imposes an extra check for them.

RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I'm dropping into the source.

Index: lib/RT/User.pm
RCS file: /raid/cvsroot/rt/lib/RT/Attic/User.pm,v
retrieving revision
diff -r1.1.2.90 User.pm
<     my ($Requestor, $Cc, $AdminCc);
>     my ($IsRequestor, $IsCc, $IsAdminCc, $IsOwner);

http://www.bestpractical.com/products/rt  -- Trouble Ticketing. Free.

More information about the Rt-announce mailing list