[rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks

Jesse Vincent jesse at bestpractical.com
Thu May 8 07:14:05 EDT 2003


All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to 
a cross site scripting attack with content included in message bodies.
If you use RT 1.0 to handle mail from unknown or possibly malicious
users, an attacker could exploit this hole to perform actions within RT
as any staff user who uses RT 1.0's web interface to view a malicious
message. More information on CSS attacks is available at
http://www.cgisecurity.com/articles/xss-faq.shtml

We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't 
currently plan to release a new version of RT 1.0.x (It's been
retired for several years now.) If an end-user provides us with a
verifiable patch to resolve this issue, we would be delighted to publish
it as RT 1.0.8.

Information about current versions of RT is available at 
http://bestpractical.com/rt.  If, for some reason, you are unable to
upgrade from RT 1.0.x and require commercial support, please address all
inquiries to sales at bestpractical.com. 

We are grateful to Troy Davis and the Semaphore Corporation for bringing
this issue to our attention.

	Best,
	Jesse Vincent
	Best Practical Solutions, LLC



-- 
http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.
_______________________________________________
rt-announce mailing list
rt-announce at lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-announce



More information about the rt-users mailing list