[rt-users] Re: Add a Cc via email to a ticket after the ticket has been created
Jason A. Smith
smithj4 at bnl.gov
Mon Nov 6 13:22:56 EST 2006
On Mon, 2006-11-06 at 11:35 -0500, Jesse Vincent wrote:
>
> It's worth noting that this patch opens up a potentially dangerous hole.
> A malicious user could easily make themselves CC of ...all your tickets.
> In some organizations, this may not matter. But it's a showstopper here
> ;)
>
> Best,
> Jesse
Hi Jesse,
I suppose this is true, but we are using RT as our support center and
need to allow anyone to be able to create and see most of our tickets
anyway, so this doesn't really open up our RT system anymore than it
already is. For us, this only applies to email access since web access
is only granted through a manual approval processes. Also, this
malicious user can only add themselves by emailing a followup to a
ticket, which would be seen by all of the other watchers of the queue,
so if we are paying attention to the correspondences we should easily
catch any malicious users. This is also a good reason for making it an
option like ParseNewMessageForTicketCcs is, defaulting to off and maybe
with an appropriate warning about the security implications.
Thanks,
~Jason
PS. I added your comments about the potential security risks to the
wiki page as a warning, I hope you don't mind.
--
/------------------------------------------------------------------\
| Jason A. Smith Email: smithj4 at bnl.gov |
| Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 |
| Upton, NY 11973-5000, U.S.A. |
\------------------------------------------------------------------/
More information about the rt-users
mailing list