[rt-users] 3.8.x serious security issue with mixing sessions
Jesse Vincent
jesse at bestpractical.com
Fri Oct 23 13:14:22 EDT 2009
On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
>
> I have a very serious security problem with 3.8 installation (3.8.6
> currently).
>
> Logged User sessions are being mixed up. One logged user is becoming another
> logged user as seen by rt. It happens in different moments.
>
> For example I'm user A and after clicking to view some ticket I become user B.
>
> Or I'm logged in into user A but suddently I get monit about need to log in
> and after loging in with user A data I'm becoming user C (in this case
> "Successful login for .." isn't logged into logs).
>
> Tried using default settings (session keept in mysql) but also
> Apache::Session::File. Problem happens in both cases. I'm using mod_perl to
> run rt.
I don't think I've ever seen this wtih RT, but I have seen it with other applications
- the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you
have any sort of HTTP proxy between your browsers and your server?
-jesse
More information about the rt-users
mailing list