[rt-devel] "Security hole" in Transaction handling

Emmanuel Lacour elacour at easter-eggs.com
Fri Apr 2 11:03:35 EST 2004

Here is the problem:

3 queues: support,bugs,test

RT 3.0.10

For each queue, a group right for (Create ticket, Reply to ticket) to
Non-privileged users.

(classic setup I think)

Now I wan't to use SelfService and put a user in a group which as only ShowQueue and
ShowTicket rights in the "bugs" queue. This User as no other rights.

On a ticket from bugs queue, belong to him, he can select the "Reply"
link (over a transaction) and reply to the transaction. The new page
show the quoted transaction...

But he can also use this URL and provide any TransactionNumber in
"QuoteTransaction" and as the reply quote the message ... he can see any


Maybe I'm missing something, but if not, I consider this as a security
hole since any logged user can show any transaction...

AW, thanks for making RT a so cool GPL software!

Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37    -     Fax: +33 (0) 1 41 35 00 76
mailto:elacour at easter-eggs.com   -    http://www.easter-eggs.com

More information about the Rt-devel mailing list