[rt-devel] [rt-announce] RT 2.0.13 - CRITICAL FIX FOR REMOTE EXPLOIT

Jesse Vincent jesse at bestpractical.com
Wed Mar 27 23:16:35 EST 2002

45 minutes ago, I was informed of a remotely exploitable
bug in RT 2.0's password verification routine that can
allow remote users who have HTTP access to an RT 
instance's web interface to gain administrative 
permissions. This bug affects ALL releases of RT 2.0 
prior to 2.0.13.

RT 2.0.13, which resolves this issue, is immediately 
available from: 


Aside from the security fix, this release is identical to 
RT 2.0.12.  

If you can not immediately upgrade your RT instance, you 
MUST execute the following SQL statement to protect your 
RT instance from exploitation:

   update Users set Password = '*LOCK*' where Password is null;

This SQL statement does not need to be executed if you 
upgrade to RT 2.0.13.

	Jesse Vincent
	Best Practical Solutions, LLC

http://www.bestpractical.com/products/rt  -- Trouble Ticketing. Free.

rt-announce mailing list
rt-announce at lists.fsck.com

More information about the Rt-devel mailing list