[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Arkadiusz Miskiewicz
arekm at maven.pl
Fri Oct 30 10:13:33 EDT 2009
On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Jesse Vincent wrote:
> > I don't think I've ever seen this wtih RT, but I have seen it with other
> > applications - the cause is _usually_ an HTTP proxy that's caching RT's
> > pages. Do you have any sort of HTTP proxy between your browsers and your
> > server?
>
> No proxy. Also rt is served over https.
There is no proxy but apache serving rt had mod_cache module installed which
turns out to be caching cookies!
Nightmare to track. Uninstalled and so far everything is working nicely.
Now the question is can anything be done on rt level to prevent mod_cache from
cacheing such stuff and actually creating security issues?
ps. issues.apache.org is full of weird mod_cache related things
> > -jesse
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list