Mailing List Archive: Request Tracker: Users

3.8.x serious security issue with mixing sessions

1 2

View All

Index | Next | Previous | View Threaded

arekm at maven

Oct 23, 2009, 2:24 AM

Post #1 of 33 (1718 views)
Permalink

3.8.x serious security issue with mixing sessions

I have a very serious security problem with 3.8 installation (3.8.6
currently).

Logged User sessions are being mixed up. One logged user is becoming another
logged user as seen by rt. It happens in different moments.

For example I'm user A and after clicking to view some ticket I become user B.

Or I'm logged in into user A but suddently I get monit about need to log in
and after loging in with user A data I'm becoming user C (in this case
"Successful login for .." isn't logged into logs).

Tried using default settings (session keept in mysql) but also
Apache::Session::File. Problem happens in both cases. I'm using mod_perl to
run rt.

Happens with different browsers, firefox, opera.

Any ideas on how to debug it?

perl packages are in fresh versions:

apache-mod_perl-2.0.4-3.i686
openssl-tools-perl-0.9.8k-2.i686
perl-AI-DecisionTree-0.08-2.i686
perl-AnyData-0.10-4.noarch
perl-Apache-DBI-1.06-1.noarch
perl-Apache-Scoreboard-2.08-7.i686
perl-Apache-Session-1.88-1.noarch
perl-Apache-Session-Wrapper-0.33-1.noarch
perl-Apache-VMonitor-2.06-1.noarch
perl-AppConfig-1.66-1.noarch
perl-Authen-SASL-2.13-1.noarch
perl-base-5.10.1-2.i686
perl-Bit-Vector-7.1-1.i686
perl-BSD-Resource-1.2901-2.i686
perl-Cache-DB_File-0.2-7.noarch
perl-Cache-Simple-TimedExpiry-0.27-1.noarch
perl-Calendar-Simple-1.19-1.noarch
perl-Carp-Assert-0.20-2.noarch
perl-Carp-Assert-More-1.12-3.noarch
perl-Carp-Clan-6.00-1.noarch
perl-CGI-3.48-1.noarch
perl-CGI-LogCarp-1.12-10.noarch
perl-CGI-SpeedyCGI-2.22-15.i686
perl-Chart-PNGgraph-1.21-7.noarch
perl-Class-Accessor-0.34-1.noarch
perl-Class-Accessor-Chained-0.01-2.noarch
perl-Class-Container-0.12-2.noarch
perl-Class-Data-Inheritable-0.08-1.noarch
perl-Class-Inspector-1.24-1.noarch
perl-Class-MakeMethods-1.01-2.noarch
perl-Class-MethodMaker-2.11-2.i686
perl-Class-MixinFactory-0.92-2.noarch
perl-Class-ReturnValue-0.55-1.noarch
perl-Class-Singleton-1.4-1.noarch
perl-Clone-0.31-1.i686
perl-Config-Tiny-2.12-2.noarch
perl-Convert-ASN1-0.21-2.noarch
perl-Convert-Recode-1.04-2.noarch
perl-CSS-Squish-0.07-1.noarch
perl-Curses-1.26-2.i686
perl-Curses-Forms-1.997-1.noarch
perl-Curses-Widgets-1.997-5.noarch
perl-Data-Flow-0.09-3.noarch
perl-Data-ICal-0.13-5.noarch
perl-Data-Library-0.1-1.noarch
perl-Date-Calc-6.0-1.i686
perl-DateTime-0.50-1.i686
perl-DateTime-Event-ICal-0.09-2.noarch
perl-DateTime-Event-Recurrence-0.16-4.noarch
perl-DateTime-Format-ICal-0.09-1.noarch
perl-DateTime-Format-Mail-0.3001-1.noarch
perl-DateTime-Format-Strptime-1.0701-1.noarch
perl-DateTime-Format-W3CDTF-0.04-1.noarch
perl-DateTime-Locale-0.44-1.noarch
perl-DateTime-Set-0.25-3.noarch
perl-DateTime-TimeZone-0.72-1.noarch
perl-DBD-AnyData-0.09-1.noarch
perl-DBD-Chart-0.82-2.noarch
perl-DBD-CSV-0.22-3.noarch
perl-DBD-LDAP-0.10-1.i686
perl-DBD-mysql-4.013-1.i686
perl-DBD-ODBC-1.23-1.i686
perl-DBD-Pg-2.15.1-3.i686
perl-DBD-SQLite-1.25-1.i686
perl-DBD-Sybase-1.09-2.i686
perl-DBD-XBase-0.241-3.noarch
perl-DB_File-1.820-2.i686
perl-DBI-1.608-1.i686
perl-DBI-ProfileDumper-Apache-1.608-1.i686
perl-DBIx-Abstract-1.006-2.noarch
perl-DBIx-AbstractLite-0.02-5.noarch
perl-DBIx-AnyDBD-2.01-4.noarch
perl-DBIx-BLOB-Handle-0.2-6.noarch
perl-DBIx-CGI-0.06-9.noarch
perl-DBIx-ContextualFetch-1.03-2.noarch
perl-DBIx-Copy-0.02-5.noarch
perl-DBIx-Cursor-0.14-4.noarch
perl-DBIx-DataLookup-0.03-5.noarch
perl-DBIx-DataSource-0.02-5.noarch
perl-DBIx-DBSchema-0.36-1.noarch
perl-DBIx-Easy-1.40-2.noarch
perl-DBIx-FetchLoop-0.41-1.noarch
perl-DBIx-HTMLView-0.9-7.noarch
perl-DBIx-Librarian-0.6-2.noarch
perl-DBIx-Recordset-0.26-2.noarch
perl-DBIx-SearchBuilder-1.56-1.noarch
perl-DBIx-SQLEngine-0.93-3.noarch
perl-DBIx-Table-0.04-5.noarch
perl-DBIx-TableHash-1.04-4.noarch
perl-DBIx-TextIndex-0.27-2.i686
perl-DBIx-XML_RDB-0.05-8.noarch
perl-devel-5.10.1-2.i686
perl-Devel-StackTrace-1.22-1.noarch
perl-Devel-Symdump-2.0602-2.noarch
perl-Digest-HMAC-1.01-12.noarch
perl-Digest-SHA1-2.11-3.i686
perl-dirs-2.1-18.i686
perl-Email-Abstract-3.001-1.noarch
perl-Email-Address-1.889-1.noarch
perl-Email-Date-Format-1.002-1.noarch
perl-Email-Simple-2.005-1.noarch
perl-Encode-2.37-1.i686
perl-Error-0.15-7.noarch
perl-Error-Dumb-0.02-4.noarch
perl-Exception-Class-1.26-1.noarch
perl-ExtUtils-MakeMaker-6.54-1.noarch
perl-FCGI-0.67-7.i686
perl-File-Find-Rule-0.30-2.noarch
perl-File-ShareDir-1.00-2.noarch
perl-File-Slurp-9999.12-1.noarch
perl-File-Slurp-Tree-1.24-1.noarch
perl-Font-AFM-1.19-3.noarch
perl-GD-2.44-1.i686
perl-GD-Graph-1.4308-5.noarch
perl-GD-TextUtil-0.86-3.noarch
perl-GnuPG-Interface-0.36-1.noarch
perl-GraphViz-2.02-2.noarch
perl-GSSAPI-0.26-4.i686
perl-GTop-0.15-3.i686
perl-Hook-LexWrap-0.20-1.noarch
perl-HTML-Format-2.04-2.noarch
perl-HTML-Mason-1.42-1.noarch
perl-HTML-Parser-3.62-1.i686
perl-HTML-RewriteAttributes-0.03-1.noarch
perl-HTML-Scrubber-0.08-2.noarch
perl-HTML-Stream-1.60-1.noarch
perl-HTML-Tagset-3.20-1.noarch
perl-HTML-Template-2.9-1.noarch
perl-HTML-Template-Extension-0.26-1.noarch
perl-HTML-Tree-3.23-1.noarch
perl-HTTP-Response-Encoding-0.06-1.noarch
perl-HTTP-Server-Simple-0.41-1.noarch
perl-HTTP-Server-Simple-Mason-0.13-1.noarch
perl-IO-Socket-INET6-2.56-1.noarch
perl-IO-Socket-SSL-1.31-1.noarch
perl-IO-String-1.08-2.noarch
perl-IO-stringy-2.110-2.noarch
perl-IPC-Run-0.84-1.noarch
perl-ldap-0.39-1.noarch
perl-libapreq2-2.12-1.i686
perl-libs-5.10.1-2.i686
perl-libwww-5.833-1.noarch
perl-List-MoreUtils-0.22-4.i686
perl-Locale-Maketext-1.13-2.noarch
perl-Locale-Maketext-Fuzzy-0.10-1.noarch
perl-Locale-Maketext-Lexicon-0.77-1.noarch
perl-Log-Channel-0.7-2.noarch
perl-Log-Dispatch-2.26-1.noarch
perl-Log-Dispatch-Config-1.02-1.noarch
perl-LWP-Parallel-2.57-2.noarch
perl-Mail-GnuPG-0.15-1.noarch
perl-Mail-POP3Client-2.18-1.noarch
perl-Mail-SpamAssassin-3.2.5-2.i686
perl-Mail-SPF-Query-1.999.1-2.noarch
perl-MailTools-2.04-1.noarch
perl-MasonX-Interp-WithCallbacks-1.17-1.noarch
perl-MasonX-Lexer-MSP-0.11-2.noarch
perl-MasonX-Profiler-0.06-2.noarch
perl-MasonX-Request-ExtendedCompRoot-0.03-2.noarch
perl-MasonX-Request-ExtendedCompRoot-WithApacheSession-0.03-1.noarch
perl-MasonX-Request-HTMLTemplate-0.05-1.noarch
perl-MasonX-Request-WithApacheSession-0.30-1.noarch
perl-MasonX-Resolver-CVS-0.02-1.noarch
perl-MIME-Base64-3.07-3.i686
perl-MIME-Explode-0.38-2.i686
perl-MIME-Fast-1.6-2.i686
perl-MIME-Lite-3.027-1.noarch
perl-MIME-tools-5.427-1.noarch
perl-MIME-Types-1.28-1.noarch
perl-mod_perl-2.0.4-3.i686
perl-modules-5.10.1-2.i686
perl-Module-Versions-Report-1.06-1.noarch
perl-Net-CIDR-Lite-0.20-2.noarch
perl-Net-Daemon-0.43-2.noarch
perl-Net-DNS-0.65-2.i686
perl-Net-IP-1.25-2.noarch
perl-Net-Jabber-2.0-2.noarch
perl-Net-Server-0.97-3.noarch
perl-Net-SSLeay-1.30-5.i686
perl-Net-XMPP-1.02-1.noarch
perl-Number-Compare-0.01-4.noarch
perl-Params-CallbackRequest-1.19-1.noarch
perl-Params-Util-1.00-2.i686
perl-Params-Validate-0.91-2.i686
perl-parent-0.223-1.noarch
perl-Parse-RecDescent-1.962.2-1.noarch
perl-PerlIO-eol-0.14-3.i686
perl-PlRPC-0.2020-1.noarch
perl-Pod-Escapes-1.04-2.noarch
perl-Pod-Tree-1.16-1.noarch
perl-POE-1.268-1.noarch
perl-PPI-1.206-1.noarch
perl-Regexp-Common-2.122-1.noarch
perl-relative-0.04-1.noarch
perl-RT-Client-REST-0.37-1.noarch
perl-Scalar-List-Utils-1.21-1.i686
perl-Set-Infinite-0.63-1.noarch
perl-Socket6-0.23-1.i686
perl-SQL-Statement-1.15-2.noarch
perl-Sys-Hostname-Long-1.4-2.i686
perl-Template-Toolkit-2.22-1.i686
perl-Term-ReadKey-2.30-5.i686
perl-Test-Email-0.07-2.noarch
perl-Test-HTTP-Server-Simple-0.03-1.noarch
perl-Test-HTTP-Server-Simple-StashWarnings-0.03-2.noarch
perl-Test-LongString-0.11-1.noarch
perl-Test-WWW-Mechanize-1.24-1.noarch
perl-Text-Autoformat-1.666.0-1.noarch
perl-Text-CSV_XS-0.67-1.i686
perl-Text-Glob-0.08-1.noarch
perl-Text-Quoted-2.05-1.noarch
perl-Text-Reform-1.20-1.noarch
perl-Text-Template-1.45-1.noarch
perl-Text-vFile-asData-0.05-2.noarch
perl-Text-WikiFormat-0.79-2.noarch
perl-Text-Wrapper-1.02-1.noarch
perl-Tie-Watch-1.2-3.noarch
perl-TimeDate-1.19-1.noarch
perl-Time-modules-2006.0814-1.noarch
perl-Tk-804.028-5.i686
perl-tools-pod-5.10.1-2.i686
perl-Tree-DAG_Node-1.06-1.noarch
perl-Tree-MultiNode-1.0.10-2.noarch
perl-Tree-Nary-1.3-2.noarch
perl-Tree-RedBlack-0.5-1.noarch
perl-Tree-Simple-1.18-1.noarch
perl-Tree-Simple-VisitorFactory-0.10-2.noarch
perl-Tree-Trie-1.5-1.noarch
perl-UNIVERSAL-require-0.11-1.noarch
perl-URI-1.40-1.noarch
perl-Want-0.18-2.i686
perl-WWW-Mechanize-1.60-1.noarch
perl-XML-NamespaceSupport-1.10-1.noarch
perl-XML-Parser-2.36-5.i686
perl-XML-RSS-1.46-1.noarch
perl-XML-SAX-0.96-1.noarch
perl-XML-Simple-2.18-2.noarch
perl-XML-Stream-1.22-3.noarch
perl-YAML-0.68-1.noarch

config:
# grep -v '^#' /etc/rt3/RT_SiteConfig.pm | grep -v '^$'
Set($rtname, 'domena.pl');
Set($EmailSubjectTagRegex, qr/(?:bla1\.eu|bla2\.pl)/i );
Set($Organization , "Something");
Set($Timezone , 'Europe/Warsaw');
Set($DatabaseUser , 'someuser');
Set($DatabasePassword , 'somepass');
Set($DatabaseName , 'rt3');
Set($OwnerEmail , 'sysadmin [at] ble3');
Set($LoopsToRTOwner , 0);
Set($StoreLoops , 0);
Set($MaxAttachmentSize , 10000000);
Set($RTAddressRegexp , '^rt\@rt.ble.pl$');
Set($CanonicalizeOnCreate , 0);
Set($CorrespondAddress , 'sysadmin [at] ble3');
Set($CommentAddress , 'sysadmin [at] ble3');
Set($MailCommand , 'sendmailpipe');
Set($SendmailArguments , "-oi -t");
Set($SendmailBounceArguments , '-f "<>"');
Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , "\"%s via RT\" <%s>");
Set($UseFriendlyToLine , 1);
Set($NotifyActor, 0);
Set($RecordOutgoingEmail, 1);
Set($LogToSyslog , 'error');
Set($LogToScreen , 'error');
Set($LogToFile , 'debug');
Set($LogDir, '/var/log');
Set($LogToFileNamed , "rt.log"); #log to rt.log
Set($WebPath , "");
Set($WebPort , 443);
Set($WebBaseURL , "https://rt.ble.eu");
Set($WebURL , $WebBaseURL . $WebPath . "/");
Set($WebImagesURL , $WebPath . "/NoAuth/images/");
Set($LogoURL , $WebImagesURL . "bplogo.gif");
Set($MessageBoxRichText, 0);
Set($MessageBoxWidth , 120);
Set($MessageBoxHeight, 25);
Set($WikiImplicitLinks, 0);
Set($MaxInlineBody, 15728640);
Set($DefaultSummaryRows, 50);
Set($OldestTransactionsFirst, '1');
Set($ShowTransactionImages, 1);
Set($HomepageComponents, [qw(QuickCreate Quicksearch MyAdminQueues
MySupportQueues MyReminders RefreshHomepage)]);
@EmailInputEncodings = qw(utf-8 iso-8859-2 iso-8859-1 us-ascii) unless
(@EmailInputEncodings);
Set($EmailOutputEncoding , 'utf-8');
Set($DateDayBeforeMonth , 1);
Set($AmbiguousDayInPast , 1);
Set($TrustHTMLAttachments, 1);
Set(%GnuPGOptions,
homedir => '/var/lib/rt-gpg',
);
Set($AutoLogoff, 180);
Set($WebSecureCookies, 1);
1;

part of vhost config:
DocumentRoot /usr/share/rt3/html
Alias /NoAuth/images/ /usr/share/rt3/html/NoAuth/images/
Alias /error/ "/home/services/httpd/error/"
AddDefaultCharset UTF-8

PerlModule Apache2::compat

PerlModule Apache::DBI
PerlRequire /usr/bin/webmux.pl

<Location /error>
</Location>

<Location />
AuthUserFile /somefile
AuthGroupFile /dev/null
AuthName Strefa-admin
AuthType Basic
AddDefaultCharset UTF-8
Options ExecCGI

SetHandler perl-script
PerlHandler RT::Mason
</Location>

ps. I didn't have this problem for some time but it started to happen again :/

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jesse at bestpractical

Oct 23, 2009, 10:14 AM

Post #2 of 33 (1677 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
>
> I have a very serious security problem with 3.8 installation (3.8.6
> currently).
>
> Logged User sessions are being mixed up. One logged user is becoming another
> logged user as seen by rt. It happens in different moments.
>
> For example I'm user A and after clicking to view some ticket I become user B.
>
> Or I'm logged in into user A but suddently I get monit about need to log in
> and after loging in with user A data I'm becoming user C (in this case
> "Successful login for .." isn't logged into logs).
>
> Tried using default settings (session keept in mysql) but also
> Apache::Session::File. Problem happens in both cases. I'm using mod_perl to
> run rt.

I don't think I've ever seen this wtih RT, but I have seen it with other applications
- the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you
have any sort of HTTP proxy between your browsers and your server?

-jesse
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 23, 2009, 10:38 AM

Post #3 of 33 (1672 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Friday 23 of October 2009, Jesse Vincent wrote:
> On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote:
> > I have a very serious security problem with 3.8 installation (3.8.6
> > currently).
> >
> > Logged User sessions are being mixed up. One logged user is becoming
> > another logged user as seen by rt. It happens in different moments.
> >
> > For example I'm user A and after clicking to view some ticket I become
> > user B.
> >
> > Or I'm logged in into user A but suddently I get monit about need to log
> > in and after loging in with user A data I'm becoming user C (in this case
> > "Successful login for .." isn't logged into logs).
> >
> > Tried using default settings (session keept in mysql) but also
> > Apache::Session::File. Problem happens in both cases. I'm using mod_perl
> > to run rt.
>
> I don't think I've ever seen this wtih RT, but I have seen it with other
> applications - the cause is _usually_ an HTTP proxy that's caching RT's
> pages. Do you have any sort of HTTP proxy between your browsers and your
> server?

No proxy. Also rt is served over https. The session is really changing user
because when trying to do something that user A has access to I get permission
denied due to B/C not having that access.

Something else is going on.

> -jesse

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jesse at bestpractical

Oct 23, 2009, 10:41 AM

Post #4 of 33 (1671 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

> No proxy. Also rt is served over https. The session is really changing user
> because when trying to do something that user A has access to I get permission
> denied due to B/C not having that access.
>
> Something else is going on.

* Can you capture the cookies on User A, User B, and User C's systems
for each HTTP hit to see if 1) they change and 2) they are the same?

A tool like the firefox developer toolbar is an easy way to do this.

* Did this also happen with 3.8.5? There's a change to session handling in 3.8.6.
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 23, 2009, 10:52 AM

Post #5 of 33 (1674 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Friday 23 of October 2009, Jesse Vincent wrote:
> > No proxy. Also rt is served over https. The session is really changing
> > user because when trying to do something that user A has access to I get
> > permission denied due to B/C not having that access.
> >
> > Something else is going on.
>
> * Can you capture the cookies on User A, User B, and User C's systems
> for each HTTP hit to see if 1) they change and 2) they are the same?
>
> A tool like the firefox developer toolbar is an easy way to do this.

That will be hard to do but will try to get some info (in reality it happens
here for different users which I don't control but it also happened for me and
my coworker).

> * Did this also happen with 3.8.5?

I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking
at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6.
Maybe other too, don't remember versions.

Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik)
but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl*
packages were updated, too.

Now why it was gone for some time it's unknown thing.

> There's a change to session handling in
> 3.8.6.

Which git commit is that?

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jpierce at cambridgeenergyalliance

Oct 23, 2009, 10:56 AM

Post #6 of 33 (1666 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

>> � A tool like the firefox developer toolbar is an easy way to do this.
HTTPFox might be a good solution too. You can simply tell it to start tracking
as you use RT, and stop it once you encounter the problem. Examine the
results, debug, and or sanitize and share.

Everyone experiencing the problem doesn't have to install the add-on,
just someone who has the issue.
--
Cambridge Energy Alliance: Save money. Save the planet.
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

kellermg at potsdam

Oct 23, 2009, 10:59 AM

Post #7 of 33 (1674 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

Arkadiusz Miskiewicz wrote:
> I have a very serious security problem with 3.8 installation (3.8.6
> currently).
>
> Logged User sessions are being mixed up. One logged user is becoming another
> logged user as seen by rt. It happens in different moments.

Are you using HTTP authentication or RT's built-in login page? If the
former, it's likely a leaky apache process, squid or auth_cache problem
(not RT); if the latter, then most likely a caching issue or possibly RT
bug.

--
Matthew Keller
Information Security Officer
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY, USA
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jesse at bestpractical

Oct 23, 2009, 11:08 AM

Post #8 of 33 (1667 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

> I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking
> at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6.
> Maybe other too, don't remember versions.
>
> Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik)
> but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl*
> packages were updated, too.
>
> Now why it was gone for some time it's unknown thing.
>
> > There's a change to session handling in
> > 3.8.6.
>
> Which git commit is that?

Far more than a single commit. We significantly overhauled all the logic
that used to be in the autohandler.

But, if this is something you've seen before and not a "new" issue, I'd
not point the finger at the refactoring just yet.

Once you are logged in and see RT's home screen, does _your_ session
change as you refresh and "become" someone else?

How many RT instances do you have in this one apache?

Which of the apache multiprocess models are you using? Maybe there's
something weird going on with multithreading...

If you switch to fastcgi does this go away?

Are you using apache authentication with RT?

Can you send the contents of the Configuration->Global->Tools->System Configuration page?

Have you made any local changes?
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 26, 2009, 5:40 AM

Post #9 of 33 (1632 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Friday 23 of October 2009, Jerrad Pierce wrote:
> >> A tool like the firefox developer toolbar is an easy way to do this.
>
> HTTPFox might be a good solution too. You can simply tell it to start
> tracking as you use RT, and stop it once you encounter the problem.
> Examine the results, debug, and or sanitize and share.
>
> Everyone experiencing the problem doesn't have to install the add-on,
> just someone who has the issue.

Can I log session id here somehow?

lib/RT/Interface/Web.pm:
$RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
$ENV{'REMOTE_ADDR'}");

So far it's like this:
- user logged as A
- suddently he becomes user B
- he logged off and on as A again

httpfox shows three session ids but I found only last one in sessions table
and it was user A session.

User B was logged in on it's own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).

Will try to get more information...
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jesse at bestpractical

Oct 26, 2009, 5:58 AM

Post #10 of 33 (1632 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Jerrad Pierce wrote:
> > >> A tool like the firefox developer toolbar is an easy way to do this.
> >
> > HTTPFox might be a good solution too. You can simply tell it to start
> > tracking as you use RT, and stop it once you encounter the problem.
> > Examine the results, debug, and or sanitize and share.
> >
> > Everyone experiencing the problem doesn't have to install the add-on,
> > just someone who has the issue.
>
> Can I log session id here somehow?
>
> lib/RT/Interface/Web.pm:
> $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
> $ENV{'REMOTE_ADDR'}");

There are two bits you want to log:

* $session{_session_id}
* the session cookie the user sent: in 3.8.6, look at LoadSessionFromCookie
>
> So far it's like this:
> - user logged as A
> - suddently he becomes user B
> - he logged off and on as A again
>
> httpfox shows three session ids but I found only last one in sessions table
> and it was user A session.

Logging out should be clearing that B session, so that bit isn't too
surprising..

> User B was logged in on it's own computer at that time but with totally
> different session id than three above (so I assume user A become user B with
> some old session of user B).

*nod*

Has _anybody_ else been seeing this? With 3.8.6 or any other version of
RT?

Jesse
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

leonid at mamchenkov

Oct 26, 2009, 6:47 AM

Post #11 of 33 (1631 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

Hi,

On Mon, Oct 26, 2009 at 14:58, Jesse Vincent <jesse [at] bestpractical> wrote:
> > User B was logged in on it's own computer at that time but with totally
> > different session id than three above (so I assume user A become user B with
> > some old session of user B).
>
> *nod*
>
> Has _anybody_ else been seeing this? With 3.8.6 or any other version of
> RT?

I saw this issue a few times on RT 3.8.2 . However it doesn't happen
often, and I can't think of a way to catch it. I believe, the issue
appeared after we upgraded from 3.6.5 .

--
Leonid Mamchenkov
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 6:48 AM

Post #12 of 33 (1584 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Monday 26 of October 2009, Jesse Vincent wrote:
> On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Jerrad Pierce wrote:
> > > >> A tool like the firefox developer toolbar is an easy way to do
> > > >> this.
> > >
> > > HTTPFox might be a good solution too. You can simply tell it to start
> > > tracking as you use RT, and stop it once you encounter the problem.
> > > Examine the results, debug, and or sanitize and share.
> > >
> > > Everyone experiencing the problem doesn't have to install the add-on,
> > > just someone who has the issue.
> >
> > Can I log session id here somehow?
> >
> > lib/RT/Interface/Web.pm:
> > $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
> > $ENV{'REMOTE_ADDR'}");
>
> There are two bits you want to log:
>
> * $session{_session_id}
> * the session cookie the user sent: in 3.8.6, look at
> LoadSessionFromCookie
>
> > So far it's like this:
> > - user logged as A
> > - suddently he becomes user B
> > - he logged off and on as A again
> >
> > httpfox shows three session ids but I found only last one in sessions
> > table and it was user A session.
>
> Logging out should be clearing that B session, so that bit isn't too
> surprising..

Still trying to gather more info.

What's the correct place for logging information about which session has been
logged out (forced) or logged out via web interface?

Added this to _ForceLogout but it seems to be wrong since it logs some very
different session_ids...

sub _ForceLogout {
my $sid = $HTML::Mason::Commands::session{'_session_id'};
$RT::Logger->info("_ForceLogout session id $sid");

> Jesse

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 7:18 AM

Post #13 of 33 (1590 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:

Today it happened to me. I suddently became user B in rt (opera). The real
user B had his PC running with rt opened (firefox) with autorefresh every 2
minutes set but he was away from his computer.

Now I verified his and mine RT_SID cookie and... I have his cookie aka we both
use the same cookie. I log session_id in rt.log at login, so I also checked
that and had login for user B with that cookie logged in rt.log 20 minutes
ago. sessions table in mysql contained that session_id of course. My initial
cookie that I logged in as user A was also there in sessions table.

So at the end I and user B we both have active sessions as user B with the
same cookie. I even did few steps through rt on both computers to see if
session_id will change but no - we are still logged in and still use the same
session_id/cookie.

(feature request: what I miss now is to make session contain IP address
information for better security - so that session would work only from that
one IP)
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 7:18 AM

Post #14 of 33 (1573 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

jesse at bestpractical

Oct 29, 2009, 7:26 AM

Post #15 of 33 (1585 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
>
> Today it happened to me. I suddently became user B in rt (opera). The real
> user B had his PC running with rt opened (firefox) with autorefresh every 2
> minutes set but he was away from his computer.

I really need to see protocol-level HTTP logs for both of these
sessions. I need to see when/if RT handed you his cookie.
>
> Now I verified his and mine RT_SID cookie and... I have his cookie aka we both
> use the same cookie. I log session_id in rt.log at login, so I also checked
> that and had login for user B with that cookie logged in rt.log 20 minutes
> ago. sessions table in mysql contained that session_id of course. My initial
> cookie that I logged in as user A was also there in sessions table.
>
> So at the end I and user B we both have active sessions as user B with the
> same cookie. I even did few steps through rt on both computers to see if
> session_id will change but no - we are still logged in and still use the same
> session_id/cookie.
>
> (feature request: what I miss now is to make session contain IP address
> information for better security - so that session would work only from that
> one IP)

As an optional feature, I'd love a patch. But it has to default to off.
Too many organizations have an array of outgoing proxy IP addresses.

> --
> Arkadiusz Miśkiewicz PLD/Linux Team
> arekm / maven.pl http://ftp.pld-linux.org/
>

--
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jesse at bestpractical

Oct 29, 2009, 7:26 AM

Post #16 of 33 (1579 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

arekm at maven

Oct 29, 2009, 7:30 AM

Post #17 of 33 (1577 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
>
> Today it happened to me.

And now another story that happened just few minutes ago:

I was logged in as A with session_id/cookie let say "sessA". When doing
something in rt I suddenly got login screen, huh! Checked sessions table -
sessA was still there. So I changed cookie preferences in opera and set RT_SID
cookie back to "sessA", page refresh and... I'm as A, no need to log in!

Which looks like my session ("sessA") was still alive and working on rt side
but somehow rt passed different session id/cookie to opera and opera used it
which in the end caused login screen to appear.

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 7:35 AM

Post #18 of 33 (1585 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thursday 29 of October 2009, Jesse Vincent wrote:
> On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> > On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> >
> > Today it happened to me. I suddently became user B in rt (opera). The
> > real user B had his PC running with rt opened (firefox) with autorefresh
> > every 2 minutes set but he was away from his computer.
>
> I really need to see protocol-level HTTP logs for both of these
> sessions. I need to see when/if RT handed you his cookie.

One firefox user here has httpfox [1] running but so far he didn't have any
problem for last 2 days :-(

Our rt is running over ssl, so sniffing at wire level also not possible (or at
least I don't know any working linux sniffer that could to that provided I
have key/cert)

Trying to get that.

[1] it sucks a little as it doesn't have "save log" capability
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 7:35 AM

Post #19 of 33 (1579 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

jesse at bestpractical

Oct 29, 2009, 7:37 AM

Post #20 of 33 (1579 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thu, Oct 29, 2009 at 03:30:49PM +0100, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> > On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> >
> > Today it happened to me.
>
> And now another story that happened just few minutes ago:
>
> I was logged in as A with session_id/cookie let say "sessA". When doing
> something in rt I suddenly got login screen, huh! Checked sessions table -
> sessA was still there. So I changed cookie preferences in opera and set RT_SID
> cookie back to "sessA", page refresh and... I'm as A, no need to log in!
>
> Which looks like my session ("sessA") was still alive and working on rt side
> but somehow rt passed different session id/cookie to opera and opera used it
> which in the end caused login screen to appear.

"somehow" is what we need to get to the bottom of. To do that, I need
the HTTP logs including all headers from your client. I need to see RT
serving you that cookie and to see the request it was on and what else
was in that request. This is fairly far into "should not be possible"
and I need a bit more of a view into what bit of infrastructure is
causing it.

_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jpierce at cambridgeenergyalliance

Oct 29, 2009, 7:44 AM

Post #21 of 33 (1574 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

> [1] it sucks a little as it doesn't have "save log" capability
Right click "Copy all rows"
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

jpierce at cambridgeenergyalliance

Oct 29, 2009, 7:44 AM

Post #22 of 33 (1585 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

arekm at maven

Oct 29, 2009, 9:23 AM

Post #23 of 33 (1571 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

On Thursday 29 of October 2009, Jerrad Pierce wrote:
> > [1] it sucks a little as it doesn't have "save log" capability
>
> Right click "Copy all rows"

That doesn't copy headers data, cookies etc

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

arekm at maven

Oct 29, 2009, 9:23 AM

Post #24 of 33 (1577 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [In reply to]

arekm at maven

Oct 30, 2009, 7:13 AM

Post #25 of 33 (1483 views)
Permalink

Re: 3.8.x serious security issue with mixing sessions [SOLVED I think!] [In reply to]

On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Jesse Vincent wrote:

> > I don't think I've ever seen this wtih RT, but I have seen it with other
> > applications - the cause is _usually_ an HTTP proxy that's caching RT's
> > pages. Do you have any sort of HTTP proxy between your browsers and your
> > server?
>
> No proxy. Also rt is served over https.

There is no proxy but apache serving rt had mod_cache module installed which
turns out to be caching cookies!

Nightmare to track. Uninstalled and so far everything is working nicely.

Now the question is can anything be done on rt level to prevent mod_cache from
cacheing such stuff and actually creating security issues?

ps. issues.apache.org is full of weird mod_cache related things

> > -jesse

--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales [at] bestpractical

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads