[rt-users] [Rt-announce] RT 3.8.5 Released

Kevin Falcone falcone at bestpractical.com
Mon Sep 14 15:27:35 EDT 2009


This release of RT-3.8.5 contains an important security fix.

You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz.sig

SHA1 checksums

26854e1a34052a2a922dc0ff533056f782813ea7  rt-3.8.5.tar.gz
96fcf9d75ce293d019bdcd0865495c6b2ac18534  rt-3.8.5.tar.gz.sig

During a routine internal audit, it was determined that all versions of
RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display
of Custom Fields that could allow injection of javascript into the RT
UI.

This bug is only exploitable if you have a Custom Field that accepts
data from an end user (such as Enter one Value, or Fill in one text
area).  It does not affect 'select one value' fields.  In addition, you
must allow malicious users to set these custom fields, either through
the Web UI (SelfService) or through an automated parsing script such as
RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a
local parsing modification.

If you do not allow external users to set Custom Field values and the
only users who have ModifyCustomField are your Privileged users, then
the impact of this is limited to one of your trusted users attacking the
system.

I have attached patches for the 3.4, 3.6 and 3.8 branches of RT
in case you do not wish to upgrade at this time.

You can apply these patches as follows:

RT 3.4

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.4-escape_custom_field_value.patch

RT 3.6

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch

RT 3.8

cd /opt/rt3/
patch -p1 < /path/to/RT-3.8-escape_custom_field_value.patch

You should then clear your mason cache
# rm -rf /opt/rt3/var/mason_data/obj/*

and restart your webserver, this is often accomplished with

# /etc/init.d/httpd restart
or
# /etc/init.d/apache restart
-------------- next part --------------
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 199fe36..19a3b68 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -76,7 +76,7 @@ my $print_value = sub {
     if ( $m->comp_exists( $comp ) ) {
         $m->comp( $comp, Object => $value );
     } else {
-        $m->print( $value->Content );
+        $m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
     }
 };
 
-------------- next part --------------
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 9fc74fd..cf6127e 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -90,7 +90,7 @@ my $print_value = sub {
     if ( $m->comp_exists( $comp ) ) {
         $m->comp( $comp, Object => $value );
     } else {
-        $m->print( $value->Content );
+        $m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
     }
     $m->out('</a>') if $linked;
 
-------------- next part --------------
diff --git a/share/html/Elements/ShowCustomFields b/share/html/Elements/ShowCustomFields
index d9b23ed..7053594 100644
--- a/share/html/Elements/ShowCustomFields
+++ b/share/html/Elements/ShowCustomFields
@@ -92,7 +92,7 @@ my $print_value = sub {
     if ( $m->comp_exists( $comp ) ) {
         $m->comp( $comp, Object => $value );
     } else {
-        $m->print( $value->Content );
+        $m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
     }
     $m->out('</a>') if $linked;
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090914/cdf0f102/attachment.sig>
-------------- next part --------------
_______________________________________________
RT-Announce mailing list
RT-Announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


More information about the rt-users mailing list