[rt-users] HELP! Serious Security Issues Needing Resolution!

Stevo checkpoint at ozbergs.com
Fri Aug 13 13:11:59 EDT 2004 

Alright - so I'm not making any progress on this.  Could the issue be how I
have my permissions set?  Below are my current global group rights.  Any
groups not noted have no rights.

Any ideas?!!


System Groups:
    Everyone:
        CommentOnTicket
        CreateTicket
        ReplyToTicket

Roles:
    Requestor
        ModifyTicket
        ReplyToTicket
        SeeQueue
        ShowTemplate
        ShowTicket

User defined groups
    SupportStaff (this is a group of everyone who has admin rights to the
ticketing server)
        AdminQueue
        AdminUsers
        CommentOnTicket
        CreateTicket
        DeleteTicket
        ModifyACL
        ModifyQueueWatchers
        ModifyScrips
        ModifySelf
        ModifyTemplate
        ModifyTicket
        OwnTicket
        ReplyToTicket
        SeeQueue
        ShowACL
        ShowScrips
        ShowTemplate
        ShowTicket
        ShowTicketComments
        SuperUser
        Watch
        WatchAsAdminCc



----- Original Message ----- 
From: Stevo
To: rt-users at lists.bestpractical.com
Sent: Thursday, August 12, 2004 9:05 PM
Subject: [rt-users] HELP! Serious Security Issues Needing Resolution!


Hi All,

I just discovered a huge security hole in my RT implementation.  I'm running
v3.2.1 on Redhat with MySQL as a db.  I have a couple of issues:

1)  When a user logs into check their tickets (so the user is not an admin
user), they are presented with NO open tickets (even though they have some
open as a requestor) and in the CLOSED tickets view, they can see 6 tickets
from another requestor that they should not be able to see at all!

2) As a regular user I can view ANY ticket by just inserting the ticket
number in the URL.  eg:  http://tickets/SelfService/Display.html?id=515.
This will show ticket #515.  I tried this on a bunch of tickets and each
time this limited access user could see EVERY ticket!!

These are two MAJOR issues for me as you can imagine and I'd like to know
where to look to attempt to get this resolved.  As a history, I recently
built a new RT server and moved the DB over and recompiled RT.  Not sure if
this has anything to do with it, but I thought I'd throw it out there.

Thanks

-Stevo





_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT wiki at http://wiki.bestpractical.com

More information about the rt-users mailing list