[rt-users] 3.8.x serious security issue with mixing sessions

Jesse Vincent jesse at bestpractical.com
Fri Oct 23 13:14:22 EDT 2009




On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
> 
> I have a very serious security problem with 3.8 installation (3.8.6 
> currently). 
> 
> Logged User sessions are being mixed up. One logged user is becoming another 
> logged user as seen by rt. It happens in different moments. 
> 
> For example I'm user A and after clicking to view some ticket I become user B. 
> 
> Or I'm logged in into user A but suddently I get monit about need to log in 
> and after loging in with user A data I'm becoming user C (in this case 
> "Successful login for .." isn't logged into logs).
> 
> Tried using default settings (session keept in mysql) but also 
> Apache::Session::File. Problem happens in both cases. I'm using mod_perl to 
> run rt.

I don't think I've ever seen this wtih RT, but I have seen it with other applications
- the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you
  have any sort of HTTP proxy between your browsers and your server?

-jesse



More information about the rt-users mailing list