[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Jesse Vincent
jesse at bestpractical.com
Fri Oct 30 15:26:35 EDT 2009
On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Jesse Vincent wrote:
>
> > > I don't think I've ever seen this wtih RT, but I have seen it with other
> > > applications - the cause is _usually_ an HTTP proxy that's caching RT's
> > > pages. Do you have any sort of HTTP proxy between your browsers and your
> > > server?
> >
> > No proxy. Also rt is served over https.
>
> There is no proxy but apache serving rt had mod_cache module installed which
> turns out to be caching cookies!
>
> Nightmare to track. Uninstalled and so far everything is working nicely.
>
> Now the question is can anything be done on rt level to prevent mod_cache from
> cacheing such stuff and actually creating security issues?
Well, what does mod_cache need to know not to cache requests?
>
> ps. issues.apache.org is full of weird mod_cache related things
>
> > > -jesse
>
> --
> Arkadiusz Miśkiewicz PLD/Linux Team
> arekm / maven.pl http://ftp.pld-linux.org/
>
--
More information about the rt-users
mailing list