[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Fri Oct 23 05:24:01 EDT 2009


I have a very serious security problem with 3.8 installation (3.8.6 
currently). 

Logged User sessions are being mixed up. One logged user is becoming another 
logged user as seen by rt. It happens in different moments. 

For example I'm user A and after clicking to view some ticket I become user B. 

Or I'm logged in into user A but suddently I get monit about need to log in 
and after loging in with user A data I'm becoming user C (in this case 
"Successful login for .." isn't logged into logs).

Tried using default settings (session keept in mysql) but also 
Apache::Session::File. Problem happens in both cases. I'm using mod_perl to 
run rt.

Happens with different browsers, firefox, opera.

Any ideas on how to debug it?

perl packages are in fresh versions:

apache-mod_perl-2.0.4-3.i686       
openssl-tools-perl-0.9.8k-2.i686   
perl-AI-DecisionTree-0.08-2.i686   
perl-AnyData-0.10-4.noarch         
perl-Apache-DBI-1.06-1.noarch      
perl-Apache-Scoreboard-2.08-7.i686 
perl-Apache-Session-1.88-1.noarch  
perl-Apache-Session-Wrapper-0.33-1.noarch
perl-Apache-VMonitor-2.06-1.noarch       
perl-AppConfig-1.66-1.noarch             
perl-Authen-SASL-2.13-1.noarch           
perl-base-5.10.1-2.i686                  
perl-Bit-Vector-7.1-1.i686               
perl-BSD-Resource-1.2901-2.i686          
perl-Cache-DB_File-0.2-7.noarch          
perl-Cache-Simple-TimedExpiry-0.27-1.noarch
perl-Calendar-Simple-1.19-1.noarch         
perl-Carp-Assert-0.20-2.noarch             
perl-Carp-Assert-More-1.12-3.noarch        
perl-Carp-Clan-6.00-1.noarch               
perl-CGI-3.48-1.noarch                     
perl-CGI-LogCarp-1.12-10.noarch            
perl-CGI-SpeedyCGI-2.22-15.i686            
perl-Chart-PNGgraph-1.21-7.noarch          
perl-Class-Accessor-0.34-1.noarch          
perl-Class-Accessor-Chained-0.01-2.noarch  
perl-Class-Container-0.12-2.noarch         
perl-Class-Data-Inheritable-0.08-1.noarch  
perl-Class-Inspector-1.24-1.noarch         
perl-Class-MakeMethods-1.01-2.noarch       
perl-Class-MethodMaker-2.11-2.i686         
perl-Class-MixinFactory-0.92-2.noarch      
perl-Class-ReturnValue-0.55-1.noarch       
perl-Class-Singleton-1.4-1.noarch          
perl-Clone-0.31-1.i686                     
perl-Config-Tiny-2.12-2.noarch             
perl-Convert-ASN1-0.21-2.noarch            
perl-Convert-Recode-1.04-2.noarch          
perl-CSS-Squish-0.07-1.noarch              
perl-Curses-1.26-2.i686                    
perl-Curses-Forms-1.997-1.noarch           
perl-Curses-Widgets-1.997-5.noarch         
perl-Data-Flow-0.09-3.noarch               
perl-Data-ICal-0.13-5.noarch               
perl-Data-Library-0.1-1.noarch             
perl-Date-Calc-6.0-1.i686                  
perl-DateTime-0.50-1.i686                  
perl-DateTime-Event-ICal-0.09-2.noarch     
perl-DateTime-Event-Recurrence-0.16-4.noarch
perl-DateTime-Format-ICal-0.09-1.noarch     
perl-DateTime-Format-Mail-0.3001-1.noarch   
perl-DateTime-Format-Strptime-1.0701-1.noarch
perl-DateTime-Format-W3CDTF-0.04-1.noarch    
perl-DateTime-Locale-0.44-1.noarch           
perl-DateTime-Set-0.25-3.noarch              
perl-DateTime-TimeZone-0.72-1.noarch         
perl-DBD-AnyData-0.09-1.noarch               
perl-DBD-Chart-0.82-2.noarch                 
perl-DBD-CSV-0.22-3.noarch                   
perl-DBD-LDAP-0.10-1.i686                    
perl-DBD-mysql-4.013-1.i686                  
perl-DBD-ODBC-1.23-1.i686                    
perl-DBD-Pg-2.15.1-3.i686                    
perl-DBD-SQLite-1.25-1.i686                  
perl-DBD-Sybase-1.09-2.i686                  
perl-DBD-XBase-0.241-3.noarch                
perl-DB_File-1.820-2.i686                    
perl-DBI-1.608-1.i686                        
perl-DBI-ProfileDumper-Apache-1.608-1.i686   
perl-DBIx-Abstract-1.006-2.noarch            
perl-DBIx-AbstractLite-0.02-5.noarch         
perl-DBIx-AnyDBD-2.01-4.noarch               
perl-DBIx-BLOB-Handle-0.2-6.noarch           
perl-DBIx-CGI-0.06-9.noarch                  
perl-DBIx-ContextualFetch-1.03-2.noarch      
perl-DBIx-Copy-0.02-5.noarch                 
perl-DBIx-Cursor-0.14-4.noarch               
perl-DBIx-DataLookup-0.03-5.noarch           
perl-DBIx-DataSource-0.02-5.noarch           
perl-DBIx-DBSchema-0.36-1.noarch             
perl-DBIx-Easy-1.40-2.noarch                 
perl-DBIx-FetchLoop-0.41-1.noarch            
perl-DBIx-HTMLView-0.9-7.noarch              
perl-DBIx-Librarian-0.6-2.noarch             
perl-DBIx-Recordset-0.26-2.noarch            
perl-DBIx-SearchBuilder-1.56-1.noarch        
perl-DBIx-SQLEngine-0.93-3.noarch            
perl-DBIx-Table-0.04-5.noarch                
perl-DBIx-TableHash-1.04-4.noarch            
perl-DBIx-TextIndex-0.27-2.i686              
perl-DBIx-XML_RDB-0.05-8.noarch              
perl-devel-5.10.1-2.i686                     
perl-Devel-StackTrace-1.22-1.noarch          
perl-Devel-Symdump-2.0602-2.noarch           
perl-Digest-HMAC-1.01-12.noarch              
perl-Digest-SHA1-2.11-3.i686                 
perl-dirs-2.1-18.i686                        
perl-Email-Abstract-3.001-1.noarch           
perl-Email-Address-1.889-1.noarch            
perl-Email-Date-Format-1.002-1.noarch        
perl-Email-Simple-2.005-1.noarch             
perl-Encode-2.37-1.i686                      
perl-Error-0.15-7.noarch                     
perl-Error-Dumb-0.02-4.noarch                
perl-Exception-Class-1.26-1.noarch           
perl-ExtUtils-MakeMaker-6.54-1.noarch        
perl-FCGI-0.67-7.i686                        
perl-File-Find-Rule-0.30-2.noarch            
perl-File-ShareDir-1.00-2.noarch             
perl-File-Slurp-9999.12-1.noarch             
perl-File-Slurp-Tree-1.24-1.noarch           
perl-Font-AFM-1.19-3.noarch                  
perl-GD-2.44-1.i686                          
perl-GD-Graph-1.4308-5.noarch                
perl-GD-TextUtil-0.86-3.noarch               
perl-GnuPG-Interface-0.36-1.noarch           
perl-GraphViz-2.02-2.noarch                  
perl-GSSAPI-0.26-4.i686                      
perl-GTop-0.15-3.i686                        
perl-Hook-LexWrap-0.20-1.noarch              
perl-HTML-Format-2.04-2.noarch               
perl-HTML-Mason-1.42-1.noarch                
perl-HTML-Parser-3.62-1.i686                 
perl-HTML-RewriteAttributes-0.03-1.noarch    
perl-HTML-Scrubber-0.08-2.noarch             
perl-HTML-Stream-1.60-1.noarch               
perl-HTML-Tagset-3.20-1.noarch               
perl-HTML-Template-2.9-1.noarch              
perl-HTML-Template-Extension-0.26-1.noarch   
perl-HTML-Tree-3.23-1.noarch                 
perl-HTTP-Response-Encoding-0.06-1.noarch    
perl-HTTP-Server-Simple-0.41-1.noarch        
perl-HTTP-Server-Simple-Mason-0.13-1.noarch  
perl-IO-Socket-INET6-2.56-1.noarch           
perl-IO-Socket-SSL-1.31-1.noarch             
perl-IO-String-1.08-2.noarch                 
perl-IO-stringy-2.110-2.noarch               
perl-IPC-Run-0.84-1.noarch                   
perl-ldap-0.39-1.noarch                      
perl-libapreq2-2.12-1.i686                   
perl-libs-5.10.1-2.i686                      
perl-libwww-5.833-1.noarch                   
perl-List-MoreUtils-0.22-4.i686              
perl-Locale-Maketext-1.13-2.noarch           
perl-Locale-Maketext-Fuzzy-0.10-1.noarch     
perl-Locale-Maketext-Lexicon-0.77-1.noarch   
perl-Log-Channel-0.7-2.noarch                
perl-Log-Dispatch-2.26-1.noarch              
perl-Log-Dispatch-Config-1.02-1.noarch       
perl-LWP-Parallel-2.57-2.noarch              
perl-Mail-GnuPG-0.15-1.noarch                
perl-Mail-POP3Client-2.18-1.noarch           
perl-Mail-SpamAssassin-3.2.5-2.i686          
perl-Mail-SPF-Query-1.999.1-2.noarch         
perl-MailTools-2.04-1.noarch                 
perl-MasonX-Interp-WithCallbacks-1.17-1.noarch
perl-MasonX-Lexer-MSP-0.11-2.noarch           
perl-MasonX-Profiler-0.06-2.noarch            
perl-MasonX-Request-ExtendedCompRoot-0.03-2.noarch
perl-MasonX-Request-ExtendedCompRoot-WithApacheSession-0.03-1.noarch
perl-MasonX-Request-HTMLTemplate-0.05-1.noarch                      
perl-MasonX-Request-WithApacheSession-0.30-1.noarch                 
perl-MasonX-Resolver-CVS-0.02-1.noarch                              
perl-MIME-Base64-3.07-3.i686                                        
perl-MIME-Explode-0.38-2.i686                                       
perl-MIME-Fast-1.6-2.i686                                           
perl-MIME-Lite-3.027-1.noarch                                       
perl-MIME-tools-5.427-1.noarch                                      
perl-MIME-Types-1.28-1.noarch                                       
perl-mod_perl-2.0.4-3.i686                                          
perl-modules-5.10.1-2.i686                                          
perl-Module-Versions-Report-1.06-1.noarch                           
perl-Net-CIDR-Lite-0.20-2.noarch                                    
perl-Net-Daemon-0.43-2.noarch                                       
perl-Net-DNS-0.65-2.i686                                            
perl-Net-IP-1.25-2.noarch                                           
perl-Net-Jabber-2.0-2.noarch                                        
perl-Net-Server-0.97-3.noarch                                       
perl-Net-SSLeay-1.30-5.i686                                         
perl-Net-XMPP-1.02-1.noarch                                         
perl-Number-Compare-0.01-4.noarch                                   
perl-Params-CallbackRequest-1.19-1.noarch                           
perl-Params-Util-1.00-2.i686                                        
perl-Params-Validate-0.91-2.i686                                    
perl-parent-0.223-1.noarch                                          
perl-Parse-RecDescent-1.962.2-1.noarch                              
perl-PerlIO-eol-0.14-3.i686                                         
perl-PlRPC-0.2020-1.noarch                                          
perl-Pod-Escapes-1.04-2.noarch                                      
perl-Pod-Tree-1.16-1.noarch                                         
perl-POE-1.268-1.noarch                                             
perl-PPI-1.206-1.noarch                                             
perl-Regexp-Common-2.122-1.noarch                                   
perl-relative-0.04-1.noarch                                         
perl-RT-Client-REST-0.37-1.noarch                                   
perl-Scalar-List-Utils-1.21-1.i686                                  
perl-Set-Infinite-0.63-1.noarch                                     
perl-Socket6-0.23-1.i686                                            
perl-SQL-Statement-1.15-2.noarch                                    
perl-Sys-Hostname-Long-1.4-2.i686                                   
perl-Template-Toolkit-2.22-1.i686
perl-Term-ReadKey-2.30-5.i686
perl-Test-Email-0.07-2.noarch
perl-Test-HTTP-Server-Simple-0.03-1.noarch
perl-Test-HTTP-Server-Simple-StashWarnings-0.03-2.noarch
perl-Test-LongString-0.11-1.noarch
perl-Test-WWW-Mechanize-1.24-1.noarch
perl-Text-Autoformat-1.666.0-1.noarch
perl-Text-CSV_XS-0.67-1.i686
perl-Text-Glob-0.08-1.noarch
perl-Text-Quoted-2.05-1.noarch
perl-Text-Reform-1.20-1.noarch
perl-Text-Template-1.45-1.noarch
perl-Text-vFile-asData-0.05-2.noarch
perl-Text-WikiFormat-0.79-2.noarch
perl-Text-Wrapper-1.02-1.noarch
perl-Tie-Watch-1.2-3.noarch
perl-TimeDate-1.19-1.noarch
perl-Time-modules-2006.0814-1.noarch
perl-Tk-804.028-5.i686
perl-tools-pod-5.10.1-2.i686
perl-Tree-DAG_Node-1.06-1.noarch
perl-Tree-MultiNode-1.0.10-2.noarch
perl-Tree-Nary-1.3-2.noarch
perl-Tree-RedBlack-0.5-1.noarch
perl-Tree-Simple-1.18-1.noarch
perl-Tree-Simple-VisitorFactory-0.10-2.noarch
perl-Tree-Trie-1.5-1.noarch
perl-UNIVERSAL-require-0.11-1.noarch
perl-URI-1.40-1.noarch
perl-Want-0.18-2.i686
perl-WWW-Mechanize-1.60-1.noarch
perl-XML-NamespaceSupport-1.10-1.noarch
perl-XML-Parser-2.36-5.i686
perl-XML-RSS-1.46-1.noarch
perl-XML-SAX-0.96-1.noarch
perl-XML-Simple-2.18-2.noarch
perl-XML-Stream-1.22-3.noarch
perl-YAML-0.68-1.noarch

config:
# grep -v '^#' /etc/rt3/RT_SiteConfig.pm | grep -v '^$'
Set($rtname, 'domena.pl');                                        
Set($EmailSubjectTagRegex, qr/(?:bla1\.eu|bla2\.pl)/i );       
Set($Organization , "Something");                          
Set($Timezone , 'Europe/Warsaw');                                 
Set($DatabaseUser , 'someuser');                            
Set($DatabasePassword , 'somepass');         
Set($DatabaseName , 'rt3');                                       
Set($OwnerEmail , 'sysadmin at ble3.pl');                           
Set($LoopsToRTOwner , 0);                                         
Set($StoreLoops , 0);                                             
Set($MaxAttachmentSize , 10000000);                               
Set($RTAddressRegexp , '^rt\@rt.ble.pl$');                      
Set($CanonicalizeOnCreate , 0);                                   
Set($CorrespondAddress , 'sysadmin at ble3.pl');                    
Set($CommentAddress , 'sysadmin at ble3.pl');                       
Set($MailCommand , 'sendmailpipe');
Set($SendmailArguments , "-oi -t");
Set($SendmailBounceArguments , '-f "<>"');
Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , "\"%s via RT\" <%s>");
Set($UseFriendlyToLine , 1);
Set($NotifyActor, 0);
Set($RecordOutgoingEmail, 1);
Set($LogToSyslog    , 'error');
Set($LogToScreen    , 'error');
Set($LogToFile      , 'debug');
Set($LogDir, '/var/log');
Set($LogToFileNamed , "rt.log");    #log to rt.log
Set($WebPath , "");
Set($WebPort , 443);
Set($WebBaseURL , "https://rt.ble.eu");
Set($WebURL , $WebBaseURL . $WebPath . "/");
Set($WebImagesURL , $WebPath . "/NoAuth/images/");
Set($LogoURL , $WebImagesURL . "bplogo.gif");
Set($MessageBoxRichText, 0);
Set($MessageBoxWidth , 120);
Set($MessageBoxHeight, 25);
Set($WikiImplicitLinks, 0);
Set($MaxInlineBody, 15728640);
Set($DefaultSummaryRows, 50);
Set($OldestTransactionsFirst, '1');
Set($ShowTransactionImages, 1);
Set($HomepageComponents, [qw(QuickCreate Quicksearch MyAdminQueues 
MySupportQueues MyReminders  RefreshHomepage)]);
@EmailInputEncodings = qw(utf-8 iso-8859-2 iso-8859-1 us-ascii) unless 
(@EmailInputEncodings);
Set($EmailOutputEncoding , 'utf-8');
Set($DateDayBeforeMonth , 1);
Set($AmbiguousDayInPast , 1);
Set($TrustHTMLAttachments, 1);
Set(%GnuPGOptions,
    homedir => '/var/lib/rt-gpg',
);
Set($AutoLogoff, 180);
Set($WebSecureCookies, 1);
1;

part of vhost config:
    DocumentRoot /usr/share/rt3/html
    Alias /NoAuth/images/ /usr/share/rt3/html/NoAuth/images/
    Alias /error/ "/home/services/httpd/error/"             
    AddDefaultCharset UTF-8                                 

    PerlModule Apache2::compat

    PerlModule Apache::DBI
    PerlRequire /usr/bin/webmux.pl

    <Location /error>
    </Location>      

    <Location />
        AuthUserFile /somefile
        AuthGroupFile /dev/null                     
        AuthName Strefa-admin                       
        AuthType Basic                              
        AddDefaultCharset UTF-8                     
        Options ExecCGI

        SetHandler perl-script
        PerlHandler RT::Mason
    </Location>

ps. I didn't have this problem for some time but it started to happen again :/

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list