<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1458" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi All,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I just discovered a huge security hole in my RT
implementation. I'm running v3.2.1 on Redhat with MySQL as a db. I
have a couple of issues:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>1) When a user logs into check their tickets
(so the user is not an admin user), they are presented with NO open tickets
(even though they have some open as a requestor) and in the CLOSED tickets view,
they can see 6 tickets from another requestor that they should not be able to
see at all!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>2) As a regular user I can view ANY ticket by
just inserting the ticket number in the URL. eg: <A
href="http://tickets/SelfService/Display.html?id=515">http://tickets/SelfService/Display.html?id=515</A>.
This will show ticket #515. I tried this on a bunch of tickets and each
time this limited access user could see EVERY ticket!!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>These are two MAJOR issues for me as you can
imagine and I'd like to know where to look to attempt to get this
resolved. As a history, I recently built a new RT server and moved the DB
over and recompiled RT. Not sure if this has anything to do with it, but I
thought I'd throw it out there.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-Stevo</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>