Mailing List Archive: Request Tracker: Devel

Any XSS issues?

Index | Next | Previous | View Threaded

taylor.andrew.j at gmail

Jan 8, 2009, 3:55 PM

Post #1 of 4 (997 views)
Permalink

Any XSS issues?

Hi all,

The topic of XSS vulnerability came up in an internal discussion about
our pending upgrade to 3.8.x. We ran across a (very) old mailing list
post about RT 2 having XSS protections, nothing obvious since. Using
an "xss scriplet" one of the guys dug up I posted it into the message
box and created a new ticket. The resulting ticket displayed the
javascript exactly as I pasted it in. This tells me that there is
definitely some level of XSS prevention built into RT.

Any gotchas I should know about?

Drew
--
----------------------------------------------------------------
Drew Taylor * Web development & consulting
Email: drew [at] drewtaylor * Site implementation & hosting
Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
----------------------------------------------------------------
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

jesse at bestpractical

Jan 8, 2009, 3:57 PM

Post #2 of 4 (952 views)
Permalink

Re: Any XSS issues? [In reply to]

On Thu, Jan 08, 2009 at 11:55:08PM +0000, Drew Taylor wrote:
> Hi all,
>
> The topic of XSS vulnerability came up in an internal discussion about
> our pending upgrade to 3.8.x. We ran across a (very) old mailing list
> post about RT 2 having XSS protections, nothing obvious since. Using
> an "xss scriplet" one of the guys dug up I posted it into the message
> box and created a new ticket. The resulting ticket displayed the
> javascript exactly as I pasted it in. This tells me that there is
> definitely some level of XSS prevention built into RT.

There certainly is.

> Any gotchas I should know about?

Nope. As always, we do take security issues very seriously and would
greatly appreciate it if you bring anything you discover to our
attention quickly and (initially) quietly to give us a chance to help RT
users mitigate issues before anyone has a chance to exploit a newly
discovered vulnerability.
>
> Drew
> --
> ----------------------------------------------------------------
> Drew Taylor * Web development & consulting
> Email: drew [at] drewtaylor * Site implementation & hosting
> Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
> ----------------------------------------------------------------
> _______________________________________________
> List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
>

--
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

taylor.andrew.j at gmail

Jan 13, 2009, 1:58 PM

Post #3 of 4 (915 views)
Permalink

Re: Any XSS issues? [In reply to]

On Thu, Jan 8, 2009 at 11:57 PM, Jesse Vincent <jesse [at] bestpractical> wrote:
>
> On Thu, Jan 08, 2009 at 11:55:08PM +0000, Drew Taylor wrote:
>> The topic of XSS vulnerability came up in an internal discussion about
>> ... This tells me that there is
>> definitely some level of XSS prevention built into RT.
>
> There certainly is.
>
>> Any gotchas I should know about?
>
> Nope. As always, we do take security issues very seriously and would

Well, we did find one gotcha though I can't strictly call it RT's
fauly. Creating tickets through the web UI does successfully escape
malicious output, but that doesn't apply to tickets created via
RT::Client::REST. Is there a way I can get REST-generated tickets to
go through the same escaping as UI-generated tickets?

Thanks,
Drew
--
----------------------------------------------------------------
Drew Taylor * Web development & consulting
Email: drew [at] drewtaylor * Site implementation & hosting
Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
----------------------------------------------------------------
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

jpierce at cambridgeenergyalliance

Jan 13, 2009, 9:17 PM

Post #4 of 4 (927 views)
Permalink

Re: Any XSS issues? [In reply to]

> Well, we did find one gotcha though I can't strictly call it RT's
> fauly. Creating tickets through the web UI does successfully escape
> malicious output, but that doesn't apply to tickets created via
> RT::Client::REST. Is there a way I can get REST-generated tickets to
> go through the same escaping as UI-generated tickets?
This module's not supported by Best Practical, and closer to unsupported
right now. Dmitri et al. are handing out commit bits for google code (ick,
one of the reasons I've not yet made some fixes) if you're interested.
Otherwise, you could submit a patch on rt.cpan.org

--
Cambridge Energy Alliance: Save money. Save the planet.
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads