[rt-users] urgent: disable search for new watchers

Fri Jun 19 04:55:28 EDT 2009

Because its not a security issue, your implementation might be wrong and 
causing a security concern to you.
The "him" you are talking about is he a staff member? , if yes then in 
my opinion there is no harm to let him see all the email addresses, I am 
sure if he is to abuse any data available to him he would do that with 
not just RT but all the other internal systems available to him.
If he is a customer or third party, then you would need to change the 
way you are using RT with regard to customers/3rd party, and make them 
un-privileged, un-priviledged users can still access RT and able to see 
all tickets were they are the requesters, or  even Cc with little 
modification to the SelfService  interface.

Regards;
Roy

Violetta J. Wawryk wrote:
> Hello,
>
> yes I have to make him priviledged because he is a kind of controll 
> instance who has to see what orders (a ticket is a order) have been made.
>
> Thanks to all who answered. I cannot believe that noone ever thought of 
> this as a security bug.
>
> @Kevin: no I did not grant ShowConfigTab to anyone, to be honest I 
> didn't even know that this one existed.
>
>
>  >Email addresses themselves are considered valuable data by some
>  >people.  In this particular case, it might also reveal customer
>  >contacts (which could be abused for various purposes, not just sending
>  >spam).
>
> @Florian: yes, you are absolutly right.
>
> Since a collegue found another security issue, can anyone tell me an 
> emailadress where to send security issues that should definitly not be 
> public?
>
> Thanks in advance
> Violetta
>
>
> Raed El-Hames schrieb:
>   
>> Violetta;
>>
>> You also made these people privileged (Let this user be granted rights 
>> is ticked), the question is do you want them to be privileged, if these 
>> are your customers then you should untick this and force them into the 
>> restricted SelfService, if you have to have them privileged then by 
>> default they will see the peoples tab, and to restrict that you will 
>> need to add extra code in few places.
>>
>>
>> Regards;
>> Roy
>>
>>
>> Violetta J. Wawryk wrote:
>>     
>>> Hi,
>>>
>>> RT is 3.6.1 on a debian system
>>>
>>> we just found out that in the people section everyone who can login 
>>> can search for people. So a person who has the following rights:
>>>
>>> CreateTicket
>>> ReplyToTicket
>>> SeeQueue
>>> ShowTicket
>>>
>>> can go to the people section and do a search like:
>>>
>>> userid doesn't contain xyz
>>>
>>> he gets all the users of the RT. Since this is a security issue, is 
>>> there anything that I can do to prevent these searches?
>>>
>>> It might be disabled in a newer version, if so which would that be?
>>>
>>> A quick search on the list didn't give me an answer, therefore I have 
>>> to ask this. Sorry if it's been on the list before.
>>>
>>> Quick help is really appreciated, thanks in advance!!!!
>>>
>>> Regards
>>> Violetta
>>>
>>>   
>>>       
>
>
>   