[rt-users] [rt-announce] Security vulnerability in RT::Extension::MobileUI

Alex Vandiver alexmv at bestpractical.com
Wed Jun 12 15:28:54 EDT 2013


Two of the May 2013 security vulnerabilities also affect the MobileUI
extension, which provides a mobile interface for RT versions 3.8.x.  The
extension was merged with core RT starting in version 4.0.0, and the
respective vulnerabilies in RT 4.0.0 to 4.0.12 were fixed by the May
2013 patches and RT 4.0.13.


All versions of RT-Extension-MobileUI are vulnerable to cross-site
scripting (XSS) via attachment filenames.  The vector is difficult to
exploit due to parsing requirements.  This vulnerability is assigned
CVE-2013-3736.

All versions of RT-Extension-MobileUI create a limited session re-use
vulnerability when using the file-based session store,
Apache::Session::File, in addition to an older version of various
non-core authentication extensions such as RT::Authen::ExternalAuth less
than version 0.14.  The extent of session re-use is limited to
information leaks of certain user preferences and caches, such as queue
names available for ticket creation.  This vulnerability is assigned
CVE-2013-3737.


A new version of RT-Extension-MobileUI is available for download below.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.04.tar.gz

3feaafcee94c857ac2875a5f5b5b30c4f2d64c23 RT-Extension-MobileUI-1.04.tar.gz


The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130612/fdedbb7d/attachment.pgp>
-------------- next part --------------
_______________________________________________
rt-announce mailing list
rt-announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


More information about the rt-users mailing list