oss-sec mailing list archives
Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition
From: Josh Bressers <bressers () redhat com>
Date: Tue, 22 Feb 2011 15:51:08 -0500 (EST)
----- Original Message -----
2) * Redirect users to their desired pages after login. This prevents possible back button attacks after a user logs out.
Use CVE-2011-1007 for this one.
Further issue details: A security flaw was found in the way the RT3 ticketing system handled resubmitting of form data after the user has logged out of the browser (but not closed it). A local attacker could use this flaw to access the user account of the victim (login without providing a password or obtain user credentials). References: [a] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575 [b] http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html Upstream bug report: [c] http://issues.bestpractical.com/Ticket/Display.html?id=15804 Upstream changeset: [d] https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4 Thomas, could you please confirm [d] is the proper fix for 2) issue? Thank you. (* Redirect users to their desired pages after login.) 3) * Clone Scrip's TicketObj since we change the CurrentUser and it can leak information (Custom field values, etc)
Use CVE-2011-1008 for this one.
Further issue details: A security flaw was found in the way the RT3 ticketing system handled logging of SQL queries during performing of user account transition. A remote, authenticated RT3 user could use this flaw to obtain sensitive information. References: [i] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576 [ii] http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html Upstream changeset (needs confirmation from upstream if it's real fix for the issue yet): [iii] https://github.com/bestpractical/rt/commit/56e20b874e8d67ab93aa80c2c00155110a27e764 Shawn, could you please confirm [iii] is the proper fix for 3) issue? (* Clone Scrip's TicketObj since we change the CurrentUser and it can leak) If [iii] not being the correct one for 3) issue, could you point us to the right one? Thank you.
Thanks.
--
JB
Current thread:
- CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Jan Lieskovsky (Feb 22)
- Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 22)
- Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Thomas Sibley (Feb 22)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 23)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Vincent Danen (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Ralf Corsepius (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Vincent Danen (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 23)