[rt-users] permissions loophole?
James Lucas
james at webma.co.uk
Sat Mar 29 17:54:33 EST 2003
Hi,
I have recently installed the release version of RT3 onto a new server for testing as my company would like to switch over to using a ticketing system rather than standard email.
I have noticed one odd thing with the way it processes mail (although it may be my setup but I can't see where), if there is a user on the system, e.g. autocreated by opening a ticket, they can reply to any other ticket by simply changing the number in the subject of the message and this reply will be forwarded onto the ticket requestor.
This does not seem correct to me as it would allow a spammer to randomly guess ticket numbers and then send mail to our customers using rt as the relay.
The only permissions I have set are to allow is for "Everyone" to be able to create tickets, no specific permissions are set for replying to tickets but RT still lets the mail through.
Have I made a mistake in the setup or is this a loophole in the program?
Cheers
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20030329/60932e4b/attachment.htm>
More information about the rt-users
mailing list