[Rtir] RTIR 1.0.4 now available - Fixes XSS vulnerability
Jansen Robert
rjansen at vub.ac.be
Wed Feb 11 05:38:55 EST 2004
At 16:07 -0500 10-02-2004, Linda Julien wrote:
>I'm pleased to announce that RT for Incident Response 1.0.4 is now
>available at:
>
> http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz
>
>This version fixes a cross-site scripting vulnerability reported on 9
>February 2004. This issue, described in ticket #5249, involved the
>display of user-entered subject lines as non-escaped html. The issue
>is described in detail here (login as "guest" with password "guest"):
>
> http://rt3.fsck.com/Ticket/Display.html?id=5249
>
>We strongly encourage all sites currently running RTIR to upgrade to
>this release. Many thanks to Vytautas Krakauskas from LitNET NOC CERT
>(vytautas at litnet.lt) for reporting this XSS issue.
>
>This version of RTIR also features significant performance
>improvements, and the addition of the requestor in the main page
>listing of unlinked incident reports.
>
>Bug fixes include:
>
>- no HTML escaping on pre-populated information for new incidents and
> investigations
>
>- stealing an incident, incident report, investigation, or block
> produces the proper owner for all related tickets
>
>- 'About RTIR' link only appears when the user is inside of RTIR
>
>- The DutyTeam group receives ShowTemplate permissions by default, for
> easier use of the Scripted Action tool.
>
>Best,
>Linda Julien
>Best Practical
>_______________________________________________
>RTIR mailing list
>RTIR at lists.bestpractical.com
>http://lists.bestpractical.com/mailman/listinfo/rtir
I would be happy to give it a shot to upgrade, If only the file would
be available at the URL supplied...
Best regards.
--
--------------------------
Brussels University
Pleinlaan 2
Computer Center VUB/ULB (VUBnet)
Ing. Robert Jansen
B-1050 Brussels
Belgium (Europe)
email: rjansen at vub.ac.be
Tel: +32-2-650.36.94
Secr: +32-2-650.37.38
Fax: +32-2-650.37.40
--------------------------
More information about the Rtir
mailing list