[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Fri Oct 23 05:24:01 EDT 2009
I have a very serious security problem with 3.8 installation (3.8.6
currently).
Logged User sessions are being mixed up. One logged user is becoming another
logged user as seen by rt. It happens in different moments.
For example I'm user A and after clicking to view some ticket I become user B.
Or I'm logged in into user A but suddently I get monit about need to log in
and after loging in with user A data I'm becoming user C (in this case
"Successful login for .." isn't logged into logs).
Tried using default settings (session keept in mysql) but also
Apache::Session::File. Problem happens in both cases. I'm using mod_perl to
run rt.
Happens with different browsers, firefox, opera.
Any ideas on how to debug it?
perl packages are in fresh versions:
apache-mod_perl-2.0.4-3.i686
openssl-tools-perl-0.9.8k-2.i686
perl-AI-DecisionTree-0.08-2.i686
perl-AnyData-0.10-4.noarch
perl-Apache-DBI-1.06-1.noarch
perl-Apache-Scoreboard-2.08-7.i686
perl-Apache-Session-1.88-1.noarch
perl-Apache-Session-Wrapper-0.33-1.noarch
perl-Apache-VMonitor-2.06-1.noarch
perl-AppConfig-1.66-1.noarch
perl-Authen-SASL-2.13-1.noarch
perl-base-5.10.1-2.i686
perl-Bit-Vector-7.1-1.i686
perl-BSD-Resource-1.2901-2.i686
perl-Cache-DB_File-0.2-7.noarch
perl-Cache-Simple-TimedExpiry-0.27-1.noarch
perl-Calendar-Simple-1.19-1.noarch
perl-Carp-Assert-0.20-2.noarch
perl-Carp-Assert-More-1.12-3.noarch
perl-Carp-Clan-6.00-1.noarch
perl-CGI-3.48-1.noarch
perl-CGI-LogCarp-1.12-10.noarch
perl-CGI-SpeedyCGI-2.22-15.i686
perl-Chart-PNGgraph-1.21-7.noarch
perl-Class-Accessor-0.34-1.noarch
perl-Class-Accessor-Chained-0.01-2.noarch
perl-Class-Container-0.12-2.noarch
perl-Class-Data-Inheritable-0.08-1.noarch
perl-Class-Inspector-1.24-1.noarch
perl-Class-MakeMethods-1.01-2.noarch
perl-Class-MethodMaker-2.11-2.i686
perl-Class-MixinFactory-0.92-2.noarch
perl-Class-ReturnValue-0.55-1.noarch
perl-Class-Singleton-1.4-1.noarch
perl-Clone-0.31-1.i686
perl-Config-Tiny-2.12-2.noarch
perl-Convert-ASN1-0.21-2.noarch
perl-Convert-Recode-1.04-2.noarch
perl-CSS-Squish-0.07-1.noarch
perl-Curses-1.26-2.i686
perl-Curses-Forms-1.997-1.noarch
perl-Curses-Widgets-1.997-5.noarch
perl-Data-Flow-0.09-3.noarch
perl-Data-ICal-0.13-5.noarch
perl-Data-Library-0.1-1.noarch
perl-Date-Calc-6.0-1.i686
perl-DateTime-0.50-1.i686
perl-DateTime-Event-ICal-0.09-2.noarch
perl-DateTime-Event-Recurrence-0.16-4.noarch
perl-DateTime-Format-ICal-0.09-1.noarch
perl-DateTime-Format-Mail-0.3001-1.noarch
perl-DateTime-Format-Strptime-1.0701-1.noarch
perl-DateTime-Format-W3CDTF-0.04-1.noarch
perl-DateTime-Locale-0.44-1.noarch
perl-DateTime-Set-0.25-3.noarch
perl-DateTime-TimeZone-0.72-1.noarch
perl-DBD-AnyData-0.09-1.noarch
perl-DBD-Chart-0.82-2.noarch
perl-DBD-CSV-0.22-3.noarch
perl-DBD-LDAP-0.10-1.i686
perl-DBD-mysql-4.013-1.i686
perl-DBD-ODBC-1.23-1.i686
perl-DBD-Pg-2.15.1-3.i686
perl-DBD-SQLite-1.25-1.i686
perl-DBD-Sybase-1.09-2.i686
perl-DBD-XBase-0.241-3.noarch
perl-DB_File-1.820-2.i686
perl-DBI-1.608-1.i686
perl-DBI-ProfileDumper-Apache-1.608-1.i686
perl-DBIx-Abstract-1.006-2.noarch
perl-DBIx-AbstractLite-0.02-5.noarch
perl-DBIx-AnyDBD-2.01-4.noarch
perl-DBIx-BLOB-Handle-0.2-6.noarch
perl-DBIx-CGI-0.06-9.noarch
perl-DBIx-ContextualFetch-1.03-2.noarch
perl-DBIx-Copy-0.02-5.noarch
perl-DBIx-Cursor-0.14-4.noarch
perl-DBIx-DataLookup-0.03-5.noarch
perl-DBIx-DataSource-0.02-5.noarch
perl-DBIx-DBSchema-0.36-1.noarch
perl-DBIx-Easy-1.40-2.noarch
perl-DBIx-FetchLoop-0.41-1.noarch
perl-DBIx-HTMLView-0.9-7.noarch
perl-DBIx-Librarian-0.6-2.noarch
perl-DBIx-Recordset-0.26-2.noarch
perl-DBIx-SearchBuilder-1.56-1.noarch
perl-DBIx-SQLEngine-0.93-3.noarch
perl-DBIx-Table-0.04-5.noarch
perl-DBIx-TableHash-1.04-4.noarch
perl-DBIx-TextIndex-0.27-2.i686
perl-DBIx-XML_RDB-0.05-8.noarch
perl-devel-5.10.1-2.i686
perl-Devel-StackTrace-1.22-1.noarch
perl-Devel-Symdump-2.0602-2.noarch
perl-Digest-HMAC-1.01-12.noarch
perl-Digest-SHA1-2.11-3.i686
perl-dirs-2.1-18.i686
perl-Email-Abstract-3.001-1.noarch
perl-Email-Address-1.889-1.noarch
perl-Email-Date-Format-1.002-1.noarch
perl-Email-Simple-2.005-1.noarch
perl-Encode-2.37-1.i686
perl-Error-0.15-7.noarch
perl-Error-Dumb-0.02-4.noarch
perl-Exception-Class-1.26-1.noarch
perl-ExtUtils-MakeMaker-6.54-1.noarch
perl-FCGI-0.67-7.i686
perl-File-Find-Rule-0.30-2.noarch
perl-File-ShareDir-1.00-2.noarch
perl-File-Slurp-9999.12-1.noarch
perl-File-Slurp-Tree-1.24-1.noarch
perl-Font-AFM-1.19-3.noarch
perl-GD-2.44-1.i686
perl-GD-Graph-1.4308-5.noarch
perl-GD-TextUtil-0.86-3.noarch
perl-GnuPG-Interface-0.36-1.noarch
perl-GraphViz-2.02-2.noarch
perl-GSSAPI-0.26-4.i686
perl-GTop-0.15-3.i686
perl-Hook-LexWrap-0.20-1.noarch
perl-HTML-Format-2.04-2.noarch
perl-HTML-Mason-1.42-1.noarch
perl-HTML-Parser-3.62-1.i686
perl-HTML-RewriteAttributes-0.03-1.noarch
perl-HTML-Scrubber-0.08-2.noarch
perl-HTML-Stream-1.60-1.noarch
perl-HTML-Tagset-3.20-1.noarch
perl-HTML-Template-2.9-1.noarch
perl-HTML-Template-Extension-0.26-1.noarch
perl-HTML-Tree-3.23-1.noarch
perl-HTTP-Response-Encoding-0.06-1.noarch
perl-HTTP-Server-Simple-0.41-1.noarch
perl-HTTP-Server-Simple-Mason-0.13-1.noarch
perl-IO-Socket-INET6-2.56-1.noarch
perl-IO-Socket-SSL-1.31-1.noarch
perl-IO-String-1.08-2.noarch
perl-IO-stringy-2.110-2.noarch
perl-IPC-Run-0.84-1.noarch
perl-ldap-0.39-1.noarch
perl-libapreq2-2.12-1.i686
perl-libs-5.10.1-2.i686
perl-libwww-5.833-1.noarch
perl-List-MoreUtils-0.22-4.i686
perl-Locale-Maketext-1.13-2.noarch
perl-Locale-Maketext-Fuzzy-0.10-1.noarch
perl-Locale-Maketext-Lexicon-0.77-1.noarch
perl-Log-Channel-0.7-2.noarch
perl-Log-Dispatch-2.26-1.noarch
perl-Log-Dispatch-Config-1.02-1.noarch
perl-LWP-Parallel-2.57-2.noarch
perl-Mail-GnuPG-0.15-1.noarch
perl-Mail-POP3Client-2.18-1.noarch
perl-Mail-SpamAssassin-3.2.5-2.i686
perl-Mail-SPF-Query-1.999.1-2.noarch
perl-MailTools-2.04-1.noarch
perl-MasonX-Interp-WithCallbacks-1.17-1.noarch
perl-MasonX-Lexer-MSP-0.11-2.noarch
perl-MasonX-Profiler-0.06-2.noarch
perl-MasonX-Request-ExtendedCompRoot-0.03-2.noarch
perl-MasonX-Request-ExtendedCompRoot-WithApacheSession-0.03-1.noarch
perl-MasonX-Request-HTMLTemplate-0.05-1.noarch
perl-MasonX-Request-WithApacheSession-0.30-1.noarch
perl-MasonX-Resolver-CVS-0.02-1.noarch
perl-MIME-Base64-3.07-3.i686
perl-MIME-Explode-0.38-2.i686
perl-MIME-Fast-1.6-2.i686
perl-MIME-Lite-3.027-1.noarch
perl-MIME-tools-5.427-1.noarch
perl-MIME-Types-1.28-1.noarch
perl-mod_perl-2.0.4-3.i686
perl-modules-5.10.1-2.i686
perl-Module-Versions-Report-1.06-1.noarch
perl-Net-CIDR-Lite-0.20-2.noarch
perl-Net-Daemon-0.43-2.noarch
perl-Net-DNS-0.65-2.i686
perl-Net-IP-1.25-2.noarch
perl-Net-Jabber-2.0-2.noarch
perl-Net-Server-0.97-3.noarch
perl-Net-SSLeay-1.30-5.i686
perl-Net-XMPP-1.02-1.noarch
perl-Number-Compare-0.01-4.noarch
perl-Params-CallbackRequest-1.19-1.noarch
perl-Params-Util-1.00-2.i686
perl-Params-Validate-0.91-2.i686
perl-parent-0.223-1.noarch
perl-Parse-RecDescent-1.962.2-1.noarch
perl-PerlIO-eol-0.14-3.i686
perl-PlRPC-0.2020-1.noarch
perl-Pod-Escapes-1.04-2.noarch
perl-Pod-Tree-1.16-1.noarch
perl-POE-1.268-1.noarch
perl-PPI-1.206-1.noarch
perl-Regexp-Common-2.122-1.noarch
perl-relative-0.04-1.noarch
perl-RT-Client-REST-0.37-1.noarch
perl-Scalar-List-Utils-1.21-1.i686
perl-Set-Infinite-0.63-1.noarch
perl-Socket6-0.23-1.i686
perl-SQL-Statement-1.15-2.noarch
perl-Sys-Hostname-Long-1.4-2.i686
perl-Template-Toolkit-2.22-1.i686
perl-Term-ReadKey-2.30-5.i686
perl-Test-Email-0.07-2.noarch
perl-Test-HTTP-Server-Simple-0.03-1.noarch
perl-Test-HTTP-Server-Simple-StashWarnings-0.03-2.noarch
perl-Test-LongString-0.11-1.noarch
perl-Test-WWW-Mechanize-1.24-1.noarch
perl-Text-Autoformat-1.666.0-1.noarch
perl-Text-CSV_XS-0.67-1.i686
perl-Text-Glob-0.08-1.noarch
perl-Text-Quoted-2.05-1.noarch
perl-Text-Reform-1.20-1.noarch
perl-Text-Template-1.45-1.noarch
perl-Text-vFile-asData-0.05-2.noarch
perl-Text-WikiFormat-0.79-2.noarch
perl-Text-Wrapper-1.02-1.noarch
perl-Tie-Watch-1.2-3.noarch
perl-TimeDate-1.19-1.noarch
perl-Time-modules-2006.0814-1.noarch
perl-Tk-804.028-5.i686
perl-tools-pod-5.10.1-2.i686
perl-Tree-DAG_Node-1.06-1.noarch
perl-Tree-MultiNode-1.0.10-2.noarch
perl-Tree-Nary-1.3-2.noarch
perl-Tree-RedBlack-0.5-1.noarch
perl-Tree-Simple-1.18-1.noarch
perl-Tree-Simple-VisitorFactory-0.10-2.noarch
perl-Tree-Trie-1.5-1.noarch
perl-UNIVERSAL-require-0.11-1.noarch
perl-URI-1.40-1.noarch
perl-Want-0.18-2.i686
perl-WWW-Mechanize-1.60-1.noarch
perl-XML-NamespaceSupport-1.10-1.noarch
perl-XML-Parser-2.36-5.i686
perl-XML-RSS-1.46-1.noarch
perl-XML-SAX-0.96-1.noarch
perl-XML-Simple-2.18-2.noarch
perl-XML-Stream-1.22-3.noarch
perl-YAML-0.68-1.noarch
config:
# grep -v '^#' /etc/rt3/RT_SiteConfig.pm | grep -v '^$'
Set($rtname, 'domena.pl');
Set($EmailSubjectTagRegex, qr/(?:bla1\.eu|bla2\.pl)/i );
Set($Organization , "Something");
Set($Timezone , 'Europe/Warsaw');
Set($DatabaseUser , 'someuser');
Set($DatabasePassword , 'somepass');
Set($DatabaseName , 'rt3');
Set($OwnerEmail , 'sysadmin at ble3.pl');
Set($LoopsToRTOwner , 0);
Set($StoreLoops , 0);
Set($MaxAttachmentSize , 10000000);
Set($RTAddressRegexp , '^rt\@rt.ble.pl$');
Set($CanonicalizeOnCreate , 0);
Set($CorrespondAddress , 'sysadmin at ble3.pl');
Set($CommentAddress , 'sysadmin at ble3.pl');
Set($MailCommand , 'sendmailpipe');
Set($SendmailArguments , "-oi -t");
Set($SendmailBounceArguments , '-f "<>"');
Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , "\"%s via RT\" <%s>");
Set($UseFriendlyToLine , 1);
Set($NotifyActor, 0);
Set($RecordOutgoingEmail, 1);
Set($LogToSyslog , 'error');
Set($LogToScreen , 'error');
Set($LogToFile , 'debug');
Set($LogDir, '/var/log');
Set($LogToFileNamed , "rt.log"); #log to rt.log
Set($WebPath , "");
Set($WebPort , 443);
Set($WebBaseURL , "https://rt.ble.eu");
Set($WebURL , $WebBaseURL . $WebPath . "/");
Set($WebImagesURL , $WebPath . "/NoAuth/images/");
Set($LogoURL , $WebImagesURL . "bplogo.gif");
Set($MessageBoxRichText, 0);
Set($MessageBoxWidth , 120);
Set($MessageBoxHeight, 25);
Set($WikiImplicitLinks, 0);
Set($MaxInlineBody, 15728640);
Set($DefaultSummaryRows, 50);
Set($OldestTransactionsFirst, '1');
Set($ShowTransactionImages, 1);
Set($HomepageComponents, [qw(QuickCreate Quicksearch MyAdminQueues
MySupportQueues MyReminders RefreshHomepage)]);
@EmailInputEncodings = qw(utf-8 iso-8859-2 iso-8859-1 us-ascii) unless
(@EmailInputEncodings);
Set($EmailOutputEncoding , 'utf-8');
Set($DateDayBeforeMonth , 1);
Set($AmbiguousDayInPast , 1);
Set($TrustHTMLAttachments, 1);
Set(%GnuPGOptions,
homedir => '/var/lib/rt-gpg',
);
Set($AutoLogoff, 180);
Set($WebSecureCookies, 1);
1;
part of vhost config:
DocumentRoot /usr/share/rt3/html
Alias /NoAuth/images/ /usr/share/rt3/html/NoAuth/images/
Alias /error/ "/home/services/httpd/error/"
AddDefaultCharset UTF-8
PerlModule Apache2::compat
PerlModule Apache::DBI
PerlRequire /usr/bin/webmux.pl
<Location /error>
</Location>
<Location />
AuthUserFile /somefile
AuthGroupFile /dev/null
AuthName Strefa-admin
AuthType Basic
AddDefaultCharset UTF-8
Options ExecCGI
SetHandler perl-script
PerlHandler RT::Mason
</Location>
ps. I didn't have this problem for some time but it started to happen again :/
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list