[rt-users] unprivileged users need to log in twice

David Griffith dgriffi at cs.csubak.edu
Wed Dec 9 14:40:32 EST 2009 

On Wed, 9 Dec 2009, Jesse Vincent wrote:

> David,
>
> This is only the second report we've had of this failure mode, but it
> _is_ the second report.
>
> On Wed, Dec 09, 2009 at 10:50:48AM -0800, David Griffith wrote:
>>
>> Debian 5.0 upgraded fixed a session fixation vulnerability on December 1,
>> 2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020).  It seems
>> that when this happened, my installation now requires unprivileged users
>> to log in twice.
>
> What version of RT are you using? Have you customized it in any way? Are
> you using only RT's built-in authentication system?

I'm using 3.6.7 as installed through APT on Debian Lenny.  Only RT's 
built-in authentication is being used.  I haven't customized it beyond 
setting things in /etc/request-tracker3.6/RT_SiteConfig.pm.  I haven't 
hacked around with the source code.

>> At the first login, the username and password fields are cleared and 
>> nothing seems to have happened.  Put in the username and password a 
>> second time and the user is logged in.  Sometimes if I try to log in as 
>> an unprivileged user, get put back to the login screen, then login as a 
>> privileged user, I get logged in with diminished privileges.
>
> That sentence doesn't make much sense to me. Can you take another shot
> at it?

Go to http://foobar.com/rt and you see the RT login screen.  Login as an 
unprivileged user (Alice).  The username and password field will blank 
out.  Type in Alice's username and password again, and you'll be logged in 
as Alice.  That's the first part of the bug.  The second part is when you 
type in the username-password the second time.  If at that point you 
attempt to log in as a privileged user, you'll log in, but your 
permissions are that of an unprivileged user.

>> Would someone please tell me what's going on?  Maybe now would be a good
>> time to upgrade to 3.8?
>
> RT 3.8 is much better than what came before, but we'd certainly not like
> to have broken earlier releases with a security fix.

Er...  Yeah!  I've been waiting for Debian to get a move on and put RT 3.8 
in the stable repositories, but with this zinger, I don't think I can 
wait.  It's time to install from source.


-- 
David Griffith
dgriffi at cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

More information about the rt-users mailing list