[rt-users] 3.8.x serious security issue with mixing sessions

Jesse Vincent jesse at bestpractical.com
Fri Oct 23 14:08:09 EDT 2009


> I had this in 3.6.6, whatever was current in march 2008, april 2008  (looking 
> at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6. 
> Maybe other too, don't remember versions.
> 
> Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik) 
> but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl* 
> packages were updated, too.
> 
> Now why it was gone for some time it's unknown thing.
> 
> > There's a change to session handling in
> >  3.8.6.
> 
> Which git commit is that?

Far more than a single commit. We significantly overhauled all the logic
that used to be in the autohandler.

But, if this is something you've seen before and not a "new" issue, I'd
not point the finger at the refactoring just yet. 

Once you are logged in and see RT's home screen, does _your_ session
change as you refresh and "become" someone else?

How many RT instances do you have in this one apache?

Which of the apache multiprocess models are you using? Maybe there's
something weird going on with multithreading...

If you switch to fastcgi does this go away?

Are you using apache authentication with RT?

Can you send the contents of the Configuration->Global->Tools->System Configuration page?

Have you made any local changes?



More information about the rt-users mailing list