FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

RT -- Multiple Vulnerabilities

Affected packages
4.0 <= rt40 < 4.0.8
rt38 < 3.8.15

Details

VuXML ID 4b738d54-2427-11e2-9817-c8600054b392
Discovery 2012-10-26
Entry 2012-11-01

BestPractical report:

All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing.

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class.

All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks.

All versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process.

RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you.

References

CVE Name CVE-2012-4730
CVE Name CVE-2012-4731
CVE Name CVE-2012-4732
CVE Name CVE-2012-4734
CVE Name CVE-2012-4735
CVE Name CVE-2012-4884
URL http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html