Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Request Tracker: Devel *possible* RT security bug   Index | Next | Previous | View Flat

chad at opensourcery Apr 16, 2009, 9:39 AM Views: 481 Permalink *possible* RT security bug Version 3.8.2 Noticed when writing a plugin. I have debugging that prints out the content of %ARGS. I went to the page while not logged in, it prompted for login. Logged in and it redirected to the page I am working on. the debugging showed the username and password in %ARGS. I would expect the username and password to be stripped from %ARGS the moment the login validation stage is complete (on success or failure). I do not have any clear ideas on how to exploit this, but it seems pretty sketch. -Chad Granum Attachments: signature.asc (0.25 KB)

Subject User Time *possible* RT security bug chad at opensourcery Apr 16, 2009, 9:39 AM     Re: *possible* RT security bug jesse at bestpractical Apr 18, 2009, 7:27 PM

Index | Next | Previous | View Flat   Request Tracker     Announce     Devel     Users     Commit

Interested in having your list archived? Contact lists@gossamer-threads.com
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.