[rt-users] 3.8.x serious security issue with mixing sessions

[Arkadiusz Miskiewicz]

On Friday 23 of October 2009, Jesse Vincent wrote:
> On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
> > I have a very serious security problem with 3.8 installation (3.8.6
> > currently).
> >
> > Logged User sessions are being mixed up. One logged user is becoming
> > another logged user as seen by rt. It happens in different moments.
> >
> > For example I'm user A and after clicking to view some ticket I become
> > user B.
> >
> > Or I'm logged in into user A but suddently I get monit about need to log
> > in and after loging in with user A data I'm becoming user C (in this case
> > "Successful login for .." isn't logged into logs).
> >
> > Tried using default settings (session keept in mysql) but also
> > Apache::Session::File. Problem happens in both cases. I'm using mod_perl
> > to run rt.
> 
> I don't think I've ever seen this wtih RT, but I have seen it with other
>  applications - the cause is _usually_ an HTTP proxy that's caching RT's
>  pages. Do you have any sort of HTTP proxy between your browsers and your
>  server?

No proxy. Also rt is served over https. The session is really changing user 
because when trying to do something that user A has access to I get permission 
denied due to B/C not having that access.

Something else is going on.

> -jesse

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/