[Rtir] RTIR 1.0.4 now available - Fixes XSS vulnerability

Jansen Robert rjansen at vub.ac.be
Wed Feb 11 05:38:55 EST 2004


At 16:07 -0500 10-02-2004, Linda Julien wrote:
>I'm pleased to announce that RT for Incident Response 1.0.4 is now
>available at:
>
>    http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz
>
>This version fixes a cross-site scripting vulnerability reported on 9
>February 2004.  This issue, described in ticket #5249, involved the
>display of user-entered subject lines as non-escaped html.  The issue
>is described in detail here (login as "guest" with password "guest"):
>
>    http://rt3.fsck.com/Ticket/Display.html?id=5249
>
>We strongly encourage all sites currently running RTIR to upgrade to
>this release.  Many thanks to Vytautas Krakauskas from LitNET NOC CERT
>(vytautas at litnet.lt) for reporting this XSS issue.
>
>This version of RTIR also features significant performance
>improvements, and the addition of the requestor in the main page
>listing of unlinked incident reports.
>
>Bug fixes include:
>
>- no HTML escaping on pre-populated information for new incidents and
>   investigations
>
>- stealing an incident, incident report, investigation, or block
>   produces the proper owner for all related tickets
>
>- 'About RTIR' link only appears when the user is inside of RTIR
>
>- The DutyTeam group receives ShowTemplate permissions by default, for
>   easier use of the Scripted Action tool.
>
>Best,
>Linda Julien
>Best Practical
>_______________________________________________
>RTIR mailing list
>RTIR at lists.bestpractical.com
>http://lists.bestpractical.com/mailman/listinfo/rtir



I would be happy to give it a shot to upgrade, If only the file would 
be available at the URL supplied...

Best regards.

-- 
--------------------------
Brussels University
Pleinlaan 2
Computer Center VUB/ULB (VUBnet)
Ing. Robert Jansen
B-1050 Brussels
Belgium (Europe)


email: rjansen at vub.ac.be
Tel:  +32-2-650.36.94
Secr: +32-2-650.37.38
Fax:  +32-2-650.37.40
--------------------------



More information about the Rtir mailing list