[rt-devel] "Security hole" in Transaction handling
Emmanuel Lacour
elacour at easter-eggs.com
Fri Apr 2 11:03:35 EST 2004
Here is the problem:
3 queues: support,bugs,test
RT 3.0.10
For each queue, a group right for (Create ticket, Reply to ticket) to
Non-privileged users.
(classic setup I think)
Now I wan't to use SelfService and put a user in a group which as only ShowQueue and
ShowTicket rights in the "bugs" queue. This User as no other rights.
On a ticket from bugs queue, belong to him, he can select the "Reply"
link (over a transaction) and reply to the transaction. The new page
show the quoted transaction...
But he can also use this URL and provide any TransactionNumber in
"QuoteTransaction" and as the reply quote the message ... he can see any
transaction!!
https://ssl.mydomain.tld/rt/SlefService/Update.html?id=466&QuoteTransaction=3360&Action=Respond
Maybe I'm missing something, but if not, I consider this as a security
hole since any logged user can show any transaction...
AW, thanks for making RT a so cool GPL software!
--
Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour at easter-eggs.com - http://www.easter-eggs.com
More information about the Rt-devel
mailing list