[rt-users] 3.8.x serious security issue with mixing

Thomas Sibley trs at bestpractical.com
Tue Jul 12 13:45:27 EDT 2011


On 07/12/2011 01:43 PM, Nicôle Layne-Balram wrote:
> This is in response to an older thread that I do not think has been resolved or at least I can't find a working resolution posted anywhere.

FWIW, there have been a few other threads since then that address this
issue, all of which have successful resolutions.

> I'm not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

In all of the cases of this problem, it's an Apache module such as
mod_cache that is improperly serving up cached cookies instead of the
ones RT is setting.  You can generally fix this by disabling the caching
modules in your Apache config.

To be clear, this is _not_ a bug in RT, but a very poor Apache
configuration that is the default for some Linux distributions.

Thomas



More information about the rt-users mailing list