[rt-users] [Rt-announce] RT 3.6.9 Released

Kevin Falcone falcone at bestpractical.com
Mon Sep 14 15:22:17 EDT 2009


This release of RT-3.6.9 contains an important security fix.

You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.6.9.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.6.9.tar.gz.sig

SHA1 checksums

eaaa3d6d9b9e955ba7c4dc0c9b4eca3d02ad6fef  rt-3.6.9.tar.gz
d710bd2d8fa4eec4b1ed0c1519eb762dd5078a0a  rt-3.6.9.tar.gz.sig

During a routine internal audit, it was determined that all versions of
RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display
of Custom Fields that could allow injection of javascript into the RT
UI.

This bug is only exploitable if you have a Custom Field that accepts
data from an end user (such as Enter one Value, or Fill in one text
area).  It does not affect 'select one value' fields.  In addition, you
must allow malicious users to set these custom fields, either through
the Web UI (SelfService) or through an automated parsing script such as
RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a
local parsing modification.

If you do not allow external users to set Custom Field values and the
only users who have ModifyCustomField are your Privileged users, then
the impact of this is limited to one of your trusted users attacking the
system.

I have attached patches for the 3.6 branch of RT in case you do not wish
to upgrade at this time.

We will be releasing 3.8.5 shortly and that release will also contain
the bugfix, as well as patches for 3.4 and 3.8

You can this patch as follows:

RT 3.6

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch

You should then clear your mason cache
# rm -rf /opt/rt3/var/mason_data/obj/*

and restart your webserver, this is often accomplished with

# /etc/init.d/httpd restart
or
# /etc/init.d/apache restart
-------------- next part --------------
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 9fc74fd..cf6127e 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -90,7 +90,7 @@ my $print_value = sub {
     if ( $m->comp_exists( $comp ) ) {
         $m->comp( $comp, Object => $value );
     } else {
-        $m->print( $value->Content );
+        $m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
     }
     $m->out('</a>') if $linked;
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090914/25148bcd/attachment.sig>
-------------- next part --------------
_______________________________________________
RT-Announce mailing list
RT-Announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


More information about the rt-users mailing list