[rt-announce] Security vulnerabilities in RT

Thomas Sibley trs at bestpractical.com
Wed May 22 14:06:22 EDT 2013

We discovered a number of security vulnerabilities which affect both RT
3.8.x and RT 4.0.x.  We are releasing RT versions 3.8.17 and 4.0.13 to
resolve these vulnerabilities, as well as patches which apply atop all
released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches
include the following:

RT 4.0.0 and above are vulnerable to a limited privilege escalation
leading to unauthorized modification of ticket data.  The DeleteTicket
right and any custom lifecycle transition rights may be bypassed by any
user with ModifyTicket.  This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses
semi-predictable names when creating tempfiles.  This could possibly be
exploited by a malicious user to overwrite files with permissions of the
user running bin/rt.  This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without
control of arguments) for users who can see administration pages.  This
could be used by a malicious user to run private components which may
have negative side-effects.  This vulnerability is assigned

RT 3.8.0 and above allow direct requests to private callback components.
Though no callback components ship with RT, this could be used to
exploit an extension or local callback which uses the arguments passed
to it insecurely.  This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via
attachment filenames.  The vector is difficult to exploit due to parsing
requirements.  Additionally, RT 4.0.0 and above are vulnerable to XSS
via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky"
feature is configured.  Although not believed to be exploitable in the
stock configuration, a patch is also included for RTIR 2.6.x to add
bulletproofing.  These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to
the value of the Content-Disposition header.  Injection of other
arbitrary response headers is not possible.  Some (especially older)
browsers may allow multiple Content-Disposition values which could lead
to XSS.  Newer browsers contain security measures to prevent this.
Thank you to Dominic Hargreaves for reporting this vulnerability.  This
vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing
email generated by RT.  The vectors via RT's stock templates are
resolved by this patchset, but any custom email templates should be
updated to ensure that values interpolated into mail headers do not
contain newlines.  This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using
the file-based session store, Apache::Session::File.  RT's default
session configuration only uses Apache::Session::File for Oracle.  RT
instances using Oracle may be locally configured to use the
database-backed Apache::Session::Oracle, in which case sessions are
never re-used.  The extent of session re-use is limited to information
leaks of certain user preferences and caches, such as queue names
available for ticket creation.  Thank you to Jenny Martin for reporting
the problem that lead to discovery of this vulnerability.  This
vulnerability is assigned CVE-2013-3374.

Patches for all releases of 3.8.x and 4.0.x are available for download
below.  Versions of RT older than 3.8.0 are unsupported and do not
receive security patches; please contact sales at bestpractical.com if you
need assistance with an older RT version.


25349c393c1b8d720f26a62dd57dc90d7def1cea  security-2013-05-22.tar.gz
d78db2e9fba3b78c1ee7a0a8d9ede871cc7ba7dc  security-2013-05-22.tar.gz.sig

The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: OpenPGP digital signature
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20130522/9e7c3e47/attachment.pgp>

More information about the rt-announce mailing list