[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

Jesse Vincent jesse at bestpractical.com
Fri Oct 30 15:26:35 EDT 2009




On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Jesse Vincent wrote:
> 
> > > I don't think I've ever seen this wtih RT, but I have seen it with other
> > >  applications - the cause is _usually_ an HTTP proxy that's caching RT's
> > >  pages. Do you have any sort of HTTP proxy between your browsers and your
> > >  server?
> > 
> > No proxy. Also rt is served over https.
> 
> There is no proxy but apache serving rt had mod_cache module installed which 
> turns out to be caching cookies!
> 
> Nightmare to track. Uninstalled and so far everything is working nicely.
> 
> Now the question is can anything be done on rt level to prevent mod_cache from 
> cacheing such stuff and actually creating security issues?

Well, what does mod_cache need to know not to cache requests?

> 
> ps. issues.apache.org is full of weird mod_cache related things
> 
> > > -jesse
> 
> -- 
> Arkadiusz Miśkiewicz        PLD/Linux Team
> arekm / maven.pl            http://ftp.pld-linux.org/
> 

-- 



More information about the rt-users mailing list