[Rtir] RTIR 1.0.4 now available - Fixes XSS vulnerability

Jansen Robert rjansen at vub.ac.be
Wed Feb 11 05:38:55 EST 2004

At 16:07 -0500 10-02-2004, Linda Julien wrote:
>I'm pleased to announce that RT for Incident Response 1.0.4 is now
>available at:
>    http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz
>This version fixes a cross-site scripting vulnerability reported on 9
>February 2004.  This issue, described in ticket #5249, involved the
>display of user-entered subject lines as non-escaped html.  The issue
>is described in detail here (login as "guest" with password "guest"):
>    http://rt3.fsck.com/Ticket/Display.html?id=5249
>We strongly encourage all sites currently running RTIR to upgrade to
>this release.  Many thanks to Vytautas Krakauskas from LitNET NOC CERT
>(vytautas at litnet.lt) for reporting this XSS issue.
>This version of RTIR also features significant performance
>improvements, and the addition of the requestor in the main page
>listing of unlinked incident reports.
>Bug fixes include:
>- no HTML escaping on pre-populated information for new incidents and
>   investigations
>- stealing an incident, incident report, investigation, or block
>   produces the proper owner for all related tickets
>- 'About RTIR' link only appears when the user is inside of RTIR
>- The DutyTeam group receives ShowTemplate permissions by default, for
>   easier use of the Scripted Action tool.
>Linda Julien
>Best Practical
>RTIR mailing list
>RTIR at lists.bestpractical.com

I would be happy to give it a shot to upgrade, If only the file would 
be available at the URL supplied...

Best regards.

Brussels University
Pleinlaan 2
Computer Center VUB/ULB (VUBnet)
Ing. Robert Jansen
B-1050 Brussels
Belgium (Europe)

email: rjansen at vub.ac.be
Tel:  +32-2-650.36.94
Secr: +32-2-650.37.38
Fax:  +32-2-650.37.40

More information about the Rtir mailing list