[rt-devel] "Security hole" in Transaction handling

Jesse Vincent jesse at bestpractical.com
Fri Apr 2 11:15:07 EST 2004


Emmanuel,

Thank you very much for reporting this perceived issue. However, I  
_think_ (and an initial test confirms) that the exploit you describe  
isn't possible.
If you have a look at lib/RT/Attachment_Overlay.pm, you'll see that  
"sub Content" calls "sub _Value", which performs an access control  
check, to prevent exactly what you've described.

FWIW, I've hidden a secret message in transaction 25493 on  
rt3.fsck.com.  If you can actually bypass RT's access control  
mechanism, I'd love to know what that message says ;)

Best,
Jesse Vincent
Best Practical


On Apr 2, 2004, at 11:03 AM, Emmanuel Lacour wrote:

>
> Here is the problem:
>
>
> 3 queues: support,bugs,test
>
> RT 3.0.10
>
> For each queue, a group right for (Create ticket, Reply to ticket) to
> Non-privileged users.
>
> (classic setup I think)
>
>
> Now I wan't to use SelfService and put a user in a group which as only  
> ShowQueue and
> ShowTicket rights in the "bugs" queue. This User as no other rights.

But have you granted "Everyone" rights? Or possibly "Unprivileged users"


> On a ticket from bugs queue, belong to him, he can select the "Reply"
> link (over a transaction) and reply to the transaction. The new page
> show the quoted transaction...
>
> But he can also use this URL and provide any TransactionNumber in
> "QuoteTransaction" and as the reply quote the message ... he can see  
> any
> transaction!!
>
> https://ssl.mydomain.tld/rt/SlefService/Update.html? 
> id=466&QuoteTransaction=3360&Action=Respond
>
>
> Maybe I'm missing something, but if not, I consider this as a security
> hole since any logged user can show any transaction...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://pallas.eruditorum.org/pipermail/rt-devel/attachments/20040402/681e71a8/PGP.pgp


More information about the Rt-devel mailing list