[Rt-announce] Security vulnerabilities in RT

Alex Vandiver alexmv at bestpractical.com
Thu Apr 14 09:59:18 EDT 2011

In the process of preparing the release of RT 4.0.0, we performed an
extensive security audit of RT's source code.  During this audit,
several vulnerabilities were found which affect earlier releases of RT.
We are releasing versions 3.6.11, 3.8.10, and 4.0.0rc8 to resolve these
vulnerabilities, as well as patches which apply atop 3.6.10 and all
versions of RT 3.8.

RT versions 3.8.0 and above with the "external custom field" feature
enabled and configured are vulnerable to a remote code execution
vulnerability.  An authenticated user (either privileged or
unprivileged) can use this vulnerability to execute arbitrary code with
the permissions of the webserver; they may also be tricked into doing so
via cross-site request forgery (CSRF).  The external custom field option
is disabled by default; if you have not explicitly enabled
"CustomFieldValuesSources" in your RT configuration, your RT instance is
not vulnerable.  We have been assigned CVE-2011-1685 for this

RT versions 2.0.0 and above are vulnerable to multiple SQL injection
attacks.  We do not believe these attacks to be capable of directly
inserting, altering or removing data from the database, but an
authenticated user (either privileged or unprivileged) could use them to
retrieve unauthorized ticket data.  Deployments since 3.6.0 are
additionally vulnerable to a more complex attack, which can be used by a
privileged user to retrieve arbitrary data from the database.  We have
been assigned CVE-2011-1686 for this vulnerability.

RT versions 3.0.0 and higher are vulnerable to an information leak
wherein an authenticated privileged user could gain sensitive
information, such as encrypted passwords, via the search interface.  We
have been assigned CVE-2011-1687 for this vulnerability.  This
vulnerability is particularly notable given RT's previous vulnerability
with insecure hashing (CVE-2011-0009).

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited
degree, are vulnerable to a malicious attacker tricking the user into
sending their authentication credentials to a third-party server.  We
have been assigned CVE-2011-1690 for this vulnerability.

RT versions 3.2.0 and above are vulnerable to a directory traversal
attack where an unauthenticated attacker can read any file which is
readable by the webserver.  While some servers (Apache, nginx) have
safeguards which mitigate this attack, preventing such traversals from
accessing files outside of RT's document root, many others (including
the standalone server provided with RT, plackup, starman, twiggy, and
lighttpd) are vulnerable to this exploit.  We have been assigned
CVE-2011-1688 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to javascript
cross-site-scripting vulnerabilities, which allow an attacker to run
javascript with the user's credentials.  We have been assigned
CVE-2011-1689 for this vulnerability.

In addition to releasing RT versions 3.6.11, 3.8.10, and 4.0.0rc8, we
have collected patches for 3.6.10 and all releases of 3.8 into a
distribution available for download at this link:


7d09b1315785a90d915bdbc86da1a0c9bd017a03  security-2011-04-14.tar.gz
7898a45b15474641a0f9c381d0f6f58fb34afcc3  security-2011-04-14.tar.gz.sig

The README in the tarball contains instructions for applying the

If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support.  Please contact us at
sales at bestpractical.com for more information.

 - Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20110414/cb2cc83c/attachment.pgp>

More information about the RT-Announce mailing list