We discovered a number of security vulnerabilities which
affect both RT 3.8.x and RT 4.0.x. We are releasing RT
versions 3.8.17 and 4.0.13 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.
The vulnerabilities addressed by 3.8.17, 4.0.13, and the
below patches include the following:
RT 4.0.0 and above are vulnerable to a limited privilege
escalation leading to unauthorized modification of ticket
data. The DeleteTicket right and any custom lifecycle
transition rights may be bypassed by any user with
ModifyTicket. This vulnerability is assigned
CVE-2012-4733.
RT 3.8.0 and above include a version of bin/rt that uses
semi-predictable names when creating tempfiles. This could
possibly be exploited by a malicious user to overwrite files
with permissions of the user running bin/rt. This
vulnerability is assigned CVE-2013-3368.
RT 3.8.0 and above allow calling of arbitrary Mason
components (without control of arguments) for users who can
see administration pages. This could be used by a malicious
user to run private components which may have negative
side-effects. This vulnerability is assigned
CVE-2013-3369.
RT 3.8.0 and above allow direct requests to private
callback components. Though no callback components ship
with RT, this could be used to exploit an extension or local
callback which uses the arguments passed to it insecurely.
This vulnerability is assigned CVE-2013-3370.
RT 3.8.3 and above are vulnerable to cross-site scripting
(XSS) via attachment filenames. The vector is difficult to
exploit due to parsing requirements. Additionally, RT 4.0.0
and above are vulnerable to XSS via maliciously-crafted
"URLs" in ticket content when RT's "MakeClicky" feature is
configured. Although not believed to be exploitable in the
stock configuration, a patch is also included for RTIR 2.6.x
to add bulletproofing. These vulnerabilities are assigned
CVE-2013-3371.
RT 3.8.0 and above are vulnerable to an HTTP header
injection limited to the value of the Content-Disposition
header. Injection of other arbitrary response headers is
not possible. Some (especially older) browsers may allow
multiple Content-Disposition values which could lead to XSS.
Newer browsers contain security measures to prevent this.
Thank you to Dominic Hargreaves for reporting this
vulnerability. This vulnerability is assigned
CVE-2013-3372.
RT 3.8.0 and above are vulnerable to a MIME header
injection in outgoing email generated by RT. The vectors
via RT's stock templates are resolved by this patchset, but
any custom email templates should be updated to ensure that
values interpolated into mail headers do not contain
newlines. This vulnerability is assigned CVE-2013-3373.
RT 3.8.0 and above are vulnerable to limited session
re-use when using the file-based session store,
Apache::Session::File. RT's default session configuration
only uses Apache::Session::File for Oracle. RT instances
using Oracle may be locally configured to use the
database-backed Apache::Session::Oracle, in which case
sessions are never re-used. The extent of session re-use is
limited to information leaks of certain user preferences and
caches, such as queue names available for ticket creation.
Thank you to Jenny Martin for reporting the problem that
lead to discovery of this vulnerability. This vulnerability
is assigned CVE-2013-3374.