falcone at bestpractical
Sep 14, 2009, 12:27 PM
Post #1 of 1
(496 views)
Permalink
|
This release of RT-3.8.5 contains an important security fix.
You can download it from:
http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz.sig
SHA1 checksums
26854e1a34052a2a922dc0ff533056f782813ea7 rt-3.8.5.tar.gz
96fcf9d75ce293d019bdcd0865495c6b2ac18534 rt-3.8.5.tar.gz.sig
During a routine internal audit, it was determined that all versions of
RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display
of Custom Fields that could allow injection of javascript into the RT
UI.
This bug is only exploitable if you have a Custom Field that accepts
data from an end user (such as Enter one Value, or Fill in one text
area). It does not affect 'select one value' fields. In addition, you
must allow malicious users to set these custom fields, either through
the Web UI (SelfService) or through an automated parsing script such as
RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a
local parsing modification.
If you do not allow external users to set Custom Field values and the
only users who have ModifyCustomField are your Privileged users, then
the impact of this is limited to one of your trusted users attacking the
system.
I have attached patches for the 3.4, 3.6 and 3.8 branches of RT
in case you do not wish to upgrade at this time.
You can apply these patches as follows:
RT 3.4
cd /opt/rt3/share
patch -p1 < /path/to/RT-3.4-escape_custom_field_value.patch
RT 3.6
cd /opt/rt3/share
patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch
RT 3.8
cd /opt/rt3/
patch -p1 < /path/to/RT-3.8-escape_custom_field_value.patch
You should then clear your mason cache
# rm -rf /opt/rt3/var/mason_data/obj/*
and restart your webserver, this is often accomplished with
# /etc/init.d/httpd restart
or
# /etc/init.d/apache restart
|
RT-3.4-escape_custom_field_value.patch
