[rt-users] permissions loophole?

David Vrtin david.vrtin at arnes.si
Mon Mar 31 01:46:20 EST 2003


On Sat, 29 Mar 2003 22:54:33 GMT, "James Lucas" wrote:

> I have noticed one odd thing with the way it processes mail (although it =
> may be my setup but I can't see where), if there is a user on the =
> system, e.g. autocreated by opening a ticket, they can reply to any =
> other ticket by simply changing the number in the subject of the message =
> and this reply will be forwarded onto the ticket requestor.
> 
> This does not seem correct to me as it would allow a spammer to randomly =
> guess ticket numbers and then send mail to our customers using rt as the =
> relay.

I have same problem. We don't want RT to sent mail out of RT, if the transaction 
is originated via *Email*. 

I think, we need some patch??


Best regards,
David




More information about the rt-users mailing list