[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Thu Oct 29 10:35:09 EDT 2009


On Thursday 29 of October 2009, Jesse Vincent wrote:
> On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> > On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> >
> > Today it happened to me. I suddently became user B in rt (opera). The
> > real user B had his PC running with rt opened (firefox) with autorefresh
> > every 2 minutes set but he was away from his computer.
> 
> I really need to see protocol-level HTTP logs for both of these
> sessions. I need to see when/if RT handed you his cookie.

One firefox user here has httpfox [1] running but so far he didn't have any 
problem for last 2 days :-( 

Our rt is running over ssl, so sniffing at wire level also not possible (or at 
least I don't know any working linux sniffer that could to that provided I 
have key/cert)

Trying to get that.

[1] it sucks a little as it doesn't have "save log" capability
-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list