[rt-announce] RT 2.0.13 - CRITICAL FIX FOR REMOTE EXPLOIT
Jesse Vincent
jesse at bestpractical.com
Wed Mar 27 23:16:35 EST 2002
45 minutes ago, I was informed of a remotely exploitable
bug in RT 2.0's password verification routine that can
allow remote users who have HTTP access to an RT
instance's web interface to gain administrative
permissions. This bug affects ALL releases of RT 2.0
prior to 2.0.13.
RT 2.0.13, which resolves this issue, is immediately
available from:
http://fsck.com/pub/rt/release/rt-2-0-13.tar.gz
Aside from the security fix, this release is identical to
RT 2.0.12.
If you can not immediately upgrade your RT instance, you
MUST execute the following SQL statement to protect your
RT instance from exploitation:
update Users set Password = '*LOCK*' where Password is null;
This SQL statement does not need to be executed if you
upgrade to RT 2.0.13.
Jesse Vincent
Best Practical Solutions, LLC
--
http://www.bestpractical.com/products/rt -- Trouble Ticketing. Free.
More information about the Rt-announce
mailing list