,

Security vulnerabilities in three commonly deployed RT extensions

,

We have determined a number of security vulnerabilities in commonlyinstalled RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.

We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.

RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch

RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz

RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz

The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

Best Practical at OSCON

If you'll be attending OSCON in Portland next week, we're teaching aTutorial on Monday and running the Perl Lightning Talks on Thursday. In between, we'll be enjoying sessions, hanging out in the hallways, manning the TPF booth at the Expo, and sampling some of the local brews (coffee, tea and beer). If you're an RT user or interested in using RT, please stop us for a chat during the conference. You can find us on Twitter as @bestpractical if you want to arrange a meetup.

Share this post:

,

Security vulnerabilities in RT

,

Internal audits of the RT codebase have uncovered a number of securityvulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at:

http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. The patches require version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling:

Could not send mail with command `[...]`:
Can't locate object method "FILENO" via package "FCGI::Stream"

If you need help resolving these security issues, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

,

RT 4.0.5 Released

,

I'm happy to announce that RT 4.0.5 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.4 release; a few of the more notable ones include:

  • Greatly improved print CSS
  • New Config option - HideResolveActionsWithDependencies removes actions such as Resolve from the action menu on tickets with outstanding dependencies
  • New Config option - AutocompleteOwnersForSearch allows admins to force an Owner autocompleter in the Query Builder
  • New Config option - NoTicketInterfaceForApprovals redirects users to the Approvals interface if they visit an Approval ticket in the regular RT UI
  • Improved Simple Search documentation and new 'any' keyword for any status
  • Improved case insensitivity in the User and Custom Field Autocompleters
  • new --enable-ssl-mailgate configure option and rt-mailgate options to assist with setting rt-mailgate up to talk to your ssl enabled RT server
  • More improvements to email quote detection to handle Outlook quoting
  • The CreateTickets action now supports adding Groups as Watchers
  • httpurl_overwrite no longer inserts spaces into your URLs
  • Added NBSP as a search column in the Query Builder
  • Maintain Approved/Denied state in the radio button on past Approvals
  • Fixes for Bookmarked ticket searches
  • Bugfixes for OverrideOutgoingMailFrom and sending bounces
  • More consistent ordering of Articles
  • Improvements to menu internals, including fixes for Search collections and localization of key names
  • Preserve Content-Disposition when redistributing mail
  • Improved PGP handling for .asc attachments with misleading content-types
  • By default, RT's session cookie will not be available to javascript
  • Allow Charts to be grouped by Told.
  • Test and localization cleanups.

Share this post:

,

Boston RT Training Reminder — March 5 & 6, 2012

,

March 2012 will bring a two-day RT training session to our hometown of Boston!To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

Our 2012 training session highlights the new features available in RT 4.

Day 1 covers

  • RT basics and concepts, concentrating on giving you an RT vocabulary and introducing you to parts of the basic and admin UI
  • Installing, upgrading and deploying RT
  • Mail and commandline access to RT
  • Escalations and notifications using the backend tools
  • Finding and installing extensions for RT and a walkthrough of common and popular extensions.

Day 2 covers

  • Deeper exploration of the Admin UI covering Users, Groups, ACLs, Lifecycles, Scrips, Templates, Approvals and Articles
  • Database administration and Full Text Searching
  • Using external authentication with your RT
  • Learn to build your own RT extension to apply customizations in a way that minimizes conflicts during an upgrade

A spot at either day costs $995 USD, but you can save 25% if you attend both days of training. That's just $1495 USD!

Reservations

We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store. If you'd prefer to reserve a seat and have us bill you, please write to us training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

Share this post:

, ,

RT Training in Boston — March 5 & 6, 2012

, ,

March 2012 will bring a two-day RT training session to our hometown of Boston!

To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

What does training cover?

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, workflows and configurability. We'll touch on basic administration, but concentrate largely on helping you and your team get the most out of your RT instance.

The second day of training picks up with RT administration and dives into what you need to safely customize and extend RT. We'll cover point-and-click configuration, upgrading and installing RT, development best practices, RT's API, building an extension, and database tuning.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Share this post:

,

RT 4.0.4 Released, fixes RT 3 -> 4.0.3 upgrade regression

,

RT 4.0.3 contained a serious bug wherein upgrades from any version ofRT 3 to RT 4.0.3 broke template interpolation; please do not use it. If you had previously upgraded from RT 3 to RT 4.0.0, 4.0.1, or 4.0.2, before upgrading to RT 4.0.3, you are not affected by this bug.

If you are currently running RT 4.0.3 and are affected by this issue, upgrading to RT 4.0.4 will resolve it.

Download it here

Share this post:

,

RT 4.0.3 Released

,

I'm happy to announce that RT 4.0.3 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.2 release; a few of the more notable ones include:

  • Due to a change in RT 3.8.9, which also affected RT 4.0.0 and higher, TransactionBatch scrips were run twice; this has now been fixed.

  • A new toggle has been added to expand all quote folding in a ticket's transaction history.

  • New "On Forward", "On Forward Transaction" and "On Forward Ticket" conditions have been added.

  • Ticket searches no longer forget which saved search they were loaded from when being updated.

  • A new "make jsmin" target has been added to aid in downloading, compiling, and installing jsmin.

  • Improved threading for automatically generated emails concerning a ticket.

  • Improved detection of Outlook-style message fowarding headers.

  • No longer error when a user has supplied a non-existant RT style; instead, fall back to the default. This is particularly relevant for users coming RT 3.8 with the 3.6 stylesheet applied, which no longer exists in 4.0.

  • Improved handling of files named "0", and Unicode filenames, in file uploads.

  • Tickets can no longer be linked to deleted tickets.

  • Restore missing menus on simple search result pages.

  • Fix support for perl 5.12 and later by removing a deprecated use of "defined %hash".

Share this post:

,

RT 3.8.11 Released

,

I'm happy to announce that RT 3.8.11 is now available.

This release contains a number of bugfixes and a minor security update in one of our dependencies:

  • Adjust FCGI dependency to one which resolves FCGI's CVE-2011-2766

  • New WebHttpOnlyCookies option, enabled by default, which hides RT's cookie from direct Javascript access.

  • Compatibility with perl 5.12 and 5.14, by removing deprecated "for qw(...)" and "defined %hash" syntax.

  • MySQL 5.5 compatibility, by specifying ENGINE=InnoDB rather than TYPE=InnoDB

  • Ensure that RT::Interface::Web's _Overlay, _Local, and _Vendor files are loaded correctly.

  • Fix session cleaner for on-disk sessions, broken since 3.8.0.

  • Ensure that only one "Based on" attribute is stored for each custom field.

  • Fix the loading of Shredder plugins, broken in 3.8.10.

Share this post:

How the University of Oxford uses RT

Ever wonder how a large organization uses RT? The University of Oxford's Computing Services, a very long time user of RT, published a blog post last week giving a peek into their use cases and workflows.

Share this post: