[rt-users] urgent: disable search for new watchers

Fri Jun 19 04:22:45 EDT 2009

Hello,

yes I have to make him priviledged because he is a kind of controll 
instance who has to see what orders (a ticket is a order) have been made.

Thanks to all who answered. I cannot believe that noone ever thought of 
this as a security bug.

@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I 
didn't even know that this one existed.

 >Email addresses themselves are considered valuable data by some
 >people.  In this particular case, it might also reveal customer
 >contacts (which could be abused for various purposes, not just sending
 >spam).

@Florian: yes, you are absolutly right.

Since a collegue found another security issue, can anyone tell me an 
emailadress where to send security issues that should definitly not be 
public?

Thanks in advance
Violetta

Raed El-Hames schrieb:
> Violetta;
> 
> You also made these people privileged (Let this user be granted rights 
> is ticked), the question is do you want them to be privileged, if these 
> are your customers then you should untick this and force them into the 
> restricted SelfService, if you have to have them privileged then by 
> default they will see the peoples tab, and to restrict that you will 
> need to add extra code in few places.
> 
> 
> Regards;
> Roy
> 
> 
> Violetta J. Wawryk wrote:
>> Hi,
>>
>> RT is 3.6.1 on a debian system
>>
>> we just found out that in the people section everyone who can login 
>> can search for people. So a person who has the following rights:
>>
>> CreateTicket
>> ReplyToTicket
>> SeeQueue
>> ShowTicket
>>
>> can go to the people section and do a search like:
>>
>> userid doesn't contain xyz
>>
>> he gets all the users of the RT. Since this is a security issue, is 
>> there anything that I can do to prevent these searches?
>>
>> It might be disabled in a newer version, if so which would that be?
>>
>> A quick search on the list didn't give me an answer, therefore I have 
>> to ask this. Sorry if it's been on the list before.
>>
>> Quick help is really appreciated, thanks in advance!!!!
>>
>> Regards
>> Violetta
>>
>>   

-- 
________________________________ creating IT solutions
Violetta J. Wawryk               science + computing ag
IT-Service                       Hagellocher Weg 73
phone +49 7071 9457 282          72070 Tuebingen, Germany
fax   +49 7071 9457 211          www.science-computing.de
-- 
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier, 
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Michel Lepert
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196 