[rt-users] unprivileged users need to log in twice
Jesse Vincent
jesse at bestpractical.com
Wed Dec 9 13:56:54 EST 2009
David,
This is only the second report we've had of this failure mode, but it
_is_ the second report.
On Wed, Dec 09, 2009 at 10:50:48AM -0800, David Griffith wrote:
>
> Debian 5.0 upgraded fixed a session fixation vulnerability on December 1,
> 2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020). It seems
> that when this happened, my installation now requires unprivileged users
> to log in twice.
What version of RT are you using? Have you customized it in any way? Are
you using only RT's built-in authentication system?
> At the first login, the username and password fields are
> cleared and nothing seems to have happened. Put in the username and
> password a second time and the user is logged in. Sometimes if I try to
> log in as an unprivileged user, get put back to the login screen, then
> login as a privileged user, I get logged in with diminished privileges.
That sentence doesn't make much sense to me. Can you take another shot
at it?
> Would someone please tell me what's going on? Maybe now would be a good
> time to upgrade to 3.8?
RT 3.8 is much better than what came before, but we'd certainly not like
to have broken earlier releases with a security fix.
> --
> David Griffith
> dgriffi at cs.csubak.edu
>
> A: Because it fouls the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
--
More information about the rt-users
mailing list