[Rt-devel] *possible* RT security bug

Jesse Vincent jesse at bestpractical.com
Sat Apr 18 22:27:00 EDT 2009


On Thu 16.Apr'09 at  9:39:19 -0700, Chad Granum wrote:
> Version 3.8.2
> 
> Noticed when writing a plugin. I have debugging that prints out the
> content of %ARGS. I went to the page while not logged in, it prompted
> for login. Logged in and it redirected to the page I am working on. the
> debugging showed the username and password in %ARGS.

Chad,

> I would expect the username and password to be stripped from %ARGS the
> moment the login validation stage is complete (on success or failure). I
> do not have any clear ideas on how to exploit this, but it seems pretty
> sketch.
>

Your expectation isn't really consistent with my experiences of web
application development, especially in a dynamic language like Perl.
If you're writing code linked into RT (as it is when you write an RT
plugin) you have full access to the application's internals.  That means
you have full access to RT's internal data structures, database handle,
etc.  Once you have access to the app's internals, it's trivial to hook
into any stage of the request process. A malicious developer can
trivially subvert any part of the request process. Stripping out request
data after processing won't stop them.  It will, however, lead to weird,
inconsistent results for legitimate development.

I hope that explanation makes some sense. I'm happy to discuss this
further.

Best,
Jesse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.bestpractical.com/pipermail/rt-devel/attachments/20090419/6b2191ac/attachment.pgp 


More information about the Rt-devel mailing list