[rt-users] 3.8.x serious security issue with mixing

Nicôle Layne-Balram nlayne at telebarbados.com
Tue Jul 12 13:43:09 EDT 2011


This is in response to an older thread that I do not think has been resolved or at least I can't find a working resolution posted anywhere.

The initial e-mail thread, logs and responses can be found here http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html.

I'm running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8.

I'm not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

A summary of what happens:

User A logs in successfully, but is "served up" user B's session. When users A looks top right for their username, they actually see someone else's username and have access to their queues, etc as though user B had logged in. User A would then have to log off and back on and most times doing this once works.

User A and B can be from different groups. There seems to be no pattern to the accounts that are mixed up, and it happens quite randomly. Sometimes you login fine (as yourself) for 15 tries, and then on 16th, all of a sudden you're logged in as someone else.

It happens often enough for it to be annoying and for then users to post updates as others by mistake.

It also happens on different browsers.

In looking at the changelog for RT-Authen-ExternalAuth, I don't think that the two updates since have addresses this issue, if that plug-in is to blame.

Anyone had a similar issue, any ideas?

Thanks.

Kind regards,
Nicôle





More information about the rt-users mailing list