[rt-users] On the session fixation vulnerability - what do the logs look like?

Arrigo Triulzi arrigo at northsea.sevenseas.org
Wed Dec 2 06:03:59 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,

would it be possible to see an example of the logs produced by RT  
subjected to the session fixation vulnerability?

I have a very bizarre event in the RT I manage which took place  
approximately 2 hrs after the security alert went out to the lists and  
I cannot explain away. It looks like this (RT 3.0.12):

192.168.X.Y - - [01/Dec/2009:18:21:56 +0000] "GET /rt/NoAuth/webrt.css  
HTTP/1.1" 200 6944
192.168.X.Y - - [01/Dec/2009:18:21:58 +0000] "GET /rt/Ticket/ 
Display.html?id=41114 HTTP/1.1" 200 56794
192.168.X.Y - - [01/Dec/2009:18:22:05 +0000] "GET /rt/NoAuth/webrt.css  
HTTP/1.1" 200 6944
192.168.X.Y - - [01/Dec/2009:18:22:06 +0000] "GET /rt/Ticket/ 
Update.html?id=41114&QuoteTransaction=293515&Action=Respond HTTP/1.1"  
200 14338
192.168.X.Y - - [01/Dec/2009:18:24:21 +0000] "GET /rt/NoAuth/webrt.css  
HTTP/1.1" 200 6944
192.168.X.Y - - [01/Dec/2009:18:24:23 +0000] "POST /rt/Ticket/ 
Update.html HTTP/1.1" 200 23431

which correlates with:

[Tue Dec 1 18:24:20 2009] [crit]: RT::Attachment->Create couldn't, as  
you didn'
t specify a transaction (/usr/share/request-tracker3/lib/RT/ 
Attachment_Overlay.pm:117)
[Tue Dec 1 18:24:20 2009] [crit]: Trying to check RT::Ticket rights  
for an unspecified RT::Ticket (/usr/share/request-tracker3/lib/RT/ 
Principal_Overlay.pm:355)
[Tue Dec 1 18:24:20 2009] [err]: RT::Ticket=HASH(0xa0726b8) couldn't  
init a transaction Transaction Created (/usr/share/request-tracker3/ 
lib/RT/Ticket_Overlay.pm:2334)

I've trawled through the past year of logs and we've never seen these  
errors before.

The database log shows no transaction for the same time period (note  
hole between 16:24:55 GMT and 09:24:03 GMT):

- -[ RECORD 18 ]-- 
+---------------------------------------------------------
id | 293515
effectiveticket | 0
ticket | 41114
timetaken | 30
type | Correspond
field |
oldvalue |
newvalue |
data | No Subject
creator | 72707
created | 2009-12-01 16:24:55
- -[ RECORD 19 ]-- 
+---------------------------------------------------------
id | 293626
effectiveticket | 0
ticket | 41114
timetaken | 0
type | Comment
field |
oldvalue |
newvalue |
data | No Subject
creator | 72707
created | 2009-12-02 09:24:03

and we did have an outbound e-mail sent by RT:

Dec 1 18:24:20 glan postfix/pickup[14782]: 81A8DC5A6C: uid=33
from=<www-data>
Dec 1 18:24:20 glan postfix/cleanup[18057]: 81A8DC5A6C:
message-id=<rt-3.0.12-41114-.17.9168436955345 at rt.X.com>
Dec 1 18:24:20 glan postfix/qmgr[19235]: 81A8DC5A6C:
from=<www-data at net.X.com>, size=925, nrcpt=10 (queue active)
Dec 1 18:24:20 glan postfix/pickup[14782]: BEF8CC5A6F: uid=33
from=<www-data>
Dec 1 18:24:20 glan postfix/cleanup[18057]: BEF8CC5A6F:
message-id=<rt-3.0.12-41114-.18.8098731560421 at rt.X.com>
Dec 1 18:24:20 glan postfix/qmgr[19235]: BEF8CC5A6F:
from=<www-data at net.X.com>, size=838, nrcpt=1 (queue active)
Dec 1 18:24:21 glan postfix/smtp[18062]: BEF8CC5A6F:
to=<xxxxxx at X.com>,
relay=mailrelay.net.X.com[192.168.160.3], delay=1, status=sent
(250 2.0.0 nB1IOK1r004792 Message accepte
Wed for delivery)
Dec 1 18:24:21 glan postfix/qmgr[19235]: BEF8CC5A6F: removed
Dec 1 18:24:25 glan postfix/smtp[18059]: 81A8DC5A6C:
to=<yyyyyy at X.com>,
relay=mailrelay.net.X.com[192.168.160.2], delay=5, status=sent
(250 2.0.0 nB1IOKOH031556 Message accepted for delivery)

[all other ticket watchers follow]

Dec 1 18:24:25 glan postfix/qmgr[19235]: 81A8DC5A6C: removed

and the message looks like this:

- --- 8< cut here 8< ---
Received: by glan.net.X.com (Postfix, from userid 33)
	id 81A8DC5A6C; Tue,  1 Dec 2009 18:24:20 +0000 (GMT)
MIME-Version: 1.0
In-Reply-To: <rt-41114 at X>
X-Mailer: Perl5 Mail::Internet v1.62
Content-Type: text/plain; charset="utf-8"
Reply-To: helpdesk at net.X.com
X-RT-Original-Encoding: utf-8
RT-Originator:
Managed-BY: RT 3.0.12 (http://www.bestpractical.com/rt/)
Subject: [X #41114] Downloading contact list
Sender: "www-data" <www-data at glan.net.X.com>
RT-Ticket: X #41114
Message-Id: <rt-3.0.12-41114-.17.9168436955345 at rt.X.com>
Precedence: bulk
X-RT-Loop-Prevention: X
To: "AdminCc of X Ticket #41114": ;
Content-Transfer-Encoding: 8bit
From: " via RT" <helpdesk at net.X.com>
Date: Tue,  1 Dec 2009 18:24:20 +0000 (GMT)


<URL: http://rt.X.com/rt/Ticket/Display.html?id=41114 >

This transaction appears to have no content
- --- 8< cut here 8< ---

Any suggestions gratefully received...

Arrigo



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAksWSZ8ACgkQDbQ6TQLMoL+JfACfdJyZxwtAqskd0lmzDnKHNFpz
VfQAni4tghvjNyqS2AafozUorVtfS4cl
=VPC+
-----END PGP SIGNATURE-----

More information about the rt-users mailing list