[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Fri Oct 23 13:38:11 EDT 2009
On Friday 23 of October 2009, Jesse Vincent wrote:
> On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
> > I have a very serious security problem with 3.8 installation (3.8.6
> > currently).
> >
> > Logged User sessions are being mixed up. One logged user is becoming
> > another logged user as seen by rt. It happens in different moments.
> >
> > For example I'm user A and after clicking to view some ticket I become
> > user B.
> >
> > Or I'm logged in into user A but suddently I get monit about need to log
> > in and after loging in with user A data I'm becoming user C (in this case
> > "Successful login for .." isn't logged into logs).
> >
> > Tried using default settings (session keept in mysql) but also
> > Apache::Session::File. Problem happens in both cases. I'm using mod_perl
> > to run rt.
>
> I don't think I've ever seen this wtih RT, but I have seen it with other
> applications - the cause is _usually_ an HTTP proxy that's caching RT's
> pages. Do you have any sort of HTTP proxy between your browsers and your
> server?
No proxy. Also rt is served over https. The session is really changing user
because when trying to do something that user A has access to I get permission
denied due to B/C not having that access.
Something else is going on.
> -jesse
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list