[rt-users] 3.8.x serious security issue with mixing
Nicôle Layne-Balram
nlayne at telebarbados.com
Tue Jul 12 13:50:34 EDT 2011
Ok, thanks for the response, will check.
Kind regards,
Nicôle
-----Original Message-----
From: ktm at rice.edu [mailto:ktm at rice.edu]
Sent: Tuesday, July 12, 2011 1:47 PM
To: Nicôle Layne-Balram
Cc: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] 3.8.x serious security issue with mixing
On Tue, Jul 12, 2011 at 01:43:09PM -0400, Nicôle Layne-Balram wrote:
> This is in response to an older thread that I do not think has been resolved or at least I can't find a working resolution posted anywhere.
>
> The initial e-mail thread, logs and responses can be found here http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html.
>
> I'm running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8.
>
> I'm not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.
>
> A summary of what happens:
>
> User A logs in successfully, but is "served up" user B's session. When users A looks top right for their username, they actually see someone else's username and have access to their queues, etc as though user B had logged in. User A would then have to log off and back on and most times doing this once works.
>
> User A and B can be from different groups. There seems to be no pattern to the accounts that are mixed up, and it happens quite randomly. Sometimes you login fine (as yourself) for 15 tries, and then on 16th, all of a sudden you're logged in as someone else.
>
> It happens often enough for it to be annoying and for then users to post updates as others by mistake.
>
> It also happens on different browsers.
>
> In looking at the changelog for RT-Authen-ExternalAuth, I don't think that the two updates since have addresses this issue, if that plug-in is to blame.
>
> Anyone had a similar issue, any ideas?
>
> Thanks.
>
> Kind regards,
> Nicôle
>
Hi Nicole,
These issues have been traced to mod_cache and other cookie caching problems
previously. You do not need a proxy to have the problem. I would start looking
there.
Cheers,
Ken
More information about the rt-users
mailing list