[rt-users] urgent: disable search for new watchers
Violetta J. Wawryk
v.wawryk at science-computing.de
Fri Jun 19 04:22:45 EDT 2009
Hello,
yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.
Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.
@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn't even know that this one existed.
>Email addresses themselves are considered valuable data by some
>people. In this particular case, it might also reveal customer
>contacts (which could be abused for various purposes, not just sending
>spam).
@Florian: yes, you are absolutly right.
Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?
Thanks in advance
Violetta
Raed El-Hames schrieb:
> Violetta;
>
> You also made these people privileged (Let this user be granted rights
> is ticked), the question is do you want them to be privileged, if these
> are your customers then you should untick this and force them into the
> restricted SelfService, if you have to have them privileged then by
> default they will see the peoples tab, and to restrict that you will
> need to add extra code in few places.
>
>
> Regards;
> Roy
>
>
> Violetta J. Wawryk wrote:
>> Hi,
>>
>> RT is 3.6.1 on a debian system
>>
>> we just found out that in the people section everyone who can login
>> can search for people. So a person who has the following rights:
>>
>> CreateTicket
>> ReplyToTicket
>> SeeQueue
>> ShowTicket
>>
>> can go to the people section and do a search like:
>>
>> userid doesn't contain xyz
>>
>> he gets all the users of the RT. Since this is a security issue, is
>> there anything that I can do to prevent these searches?
>>
>> It might be disabled in a newer version, if so which would that be?
>>
>> A quick search on the list didn't give me an answer, therefore I have
>> to ask this. Sorry if it's been on the list before.
>>
>> Quick help is really appreciated, thanks in advance!!!!
>>
>> Regards
>> Violetta
>>
>>
--
________________________________ creating IT solutions
Violetta J. Wawryk science + computing ag
IT-Service Hagellocher Weg 73
phone +49 7071 9457 282 72070 Tuebingen, Germany
fax +49 7071 9457 211 www.science-computing.de
--
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier,
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Michel Lepert
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196
More information about the rt-users
mailing list