Security vulnerabilities in RT

In the process of preparing the release of RT 4.0.0, we performed an extensive security audit of RT's source code.  During this audit, several vulnerabilities were found which affect earlier releases of RT.  We are releasing versions 3.6.11, 3.8.10, and 4.0.0rc8 to resolve these vulnerabilities, as well as patches which apply atop 3.6.10 and all versions of RT 3.8.

RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability.  An authenticated user (either privileged orunprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF).  The external custom field option is disabled by default; if you have not explicitly enabled "CustomFieldValuesSources" in your RT configuration, your RT instance is not vulnerable.  We have been assigned CVE-2011-1685 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks.  We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data.  Deployments since 3.6.0 are additionally vulnerable to a more complex attack, which can be used by a privileged user to retrieve arbitrary data from the database.  We have been assigned CVE-2011-1686 for this vulnerability.

RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface.  We have been assigned CVE-2011-1687 for this vulnerability.  This vulnerability is particularly notable given RT's previous vulnerability with insecure hashing (CVE-2011-0009).

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server.  We have been assigned CVE-2011-1690 for this vulnerability.

RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver.  While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit.  We have been assigned CVE-2011-1688 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials.  We have been assigned CVE-2011-1689 for this vulnerability.

In addition to releasing RT versions 3.6.11, 3.8.10, and 4.0.0rc8, we have collected patches for 3.6.10 and all releases of 3.8 into a single security patchset (signature).

The README in the tarball contains instructions for applying the patches.

Share this post: