[rt-users] 3.8.x serious security issue with mixing sessions

Matthew Keller kellermg at potsdam.edu
Fri Oct 23 13:59:58 EDT 2009


Arkadiusz Miskiewicz wrote:
> I have a very serious security problem with 3.8 installation (3.8.6 
> currently). 
> 
> Logged User sessions are being mixed up. One logged user is becoming another 
> logged user as seen by rt. It happens in different moments. 

Are you using HTTP authentication or RT's built-in login page? If the 
former, it's likely a leaky apache process, squid or auth_cache problem 
(not RT); if the latter, then most likely a caching issue or possibly RT 
bug.

-- 
Matthew Keller
Information Security Officer
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY, USA



More information about the rt-users mailing list