[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Fri Oct 23 13:52:41 EDT 2009


On Friday 23 of October 2009, Jesse Vincent wrote:
> > No proxy. Also rt is served over https. The session is really changing
> > user because when trying to do something that user A has access to I get
> > permission denied due to B/C not having that access.
> >
> > Something else is going on.
> 
> * Can you capture the cookies on User A, User B, and User C's systems
>   for each HTTP hit to see if 1) they change and 2) they are the same?
> 
>   A tool like the firefox developer toolbar is an easy way to do this.

That will be hard to do but will try to get some info (in reality it happens 
here for different users which I don't control but it also happened for me and 
my coworker).

> * Did this also happen with 3.8.5? 

I had this in 3.6.6, whatever was current in march 2008, april 2008  (looking 
at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6. 
Maybe other too, don't remember versions.

Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik) 
but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl* 
packages were updated, too.

Now why it was gone for some time it's unknown thing.

> There's a change to session handling in
>  3.8.6.

Which git commit is that?

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list