3.8.x serious security issue with mixing

This is in response to an older thread that I do not think has been resolved or at least I can’t find a working resolution posted anywhere.

The initial e-mail thread, logs and responses can be found here http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html.

I’m running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8.

I’m not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

A summary of what happens:

User A logs in successfully, but is “served up” user B’s session. When users A looks top right for their username, they actually see someone else’s username and have access to their queues, etc as though user B had logged in. User A would then have to log off and back on and most times doing this once works.

User A and B can be from different groups. There seems to be no pattern to the accounts that are mixed up, and it happens quite randomly. Sometimes you login fine (as yourself) for 15 tries, and then on 16th, all of a sudden you’re logged in as someone else.

It happens often enough for it to be annoying and for then users to post updates as others by mistake.

It also happens on different browsers.

In looking at the changelog for RT-Authen-ExternalAuth, I don’t think that the two updates since have addresses this issue, if that plug-in is to blame.

Anyone had a similar issue, any ideas?

Thanks.

Kind regards,
Nicôle

This is in response to an older thread that I do not think has been resolved or at least I can’t find a working resolution posted anywhere.

FWIW, there have been a few other threads since then that address this
issue, all of which have successful resolutions.

I’m not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

In all of the cases of this problem, it’s an Apache module such as
mod_cache that is improperly serving up cached cookies instead of the
ones RT is setting. You can generally fix this by disabling the caching
modules in your Apache config.

To be clear, this is not a bug in RT, but a very poor Apache
configuration that is the default for some Linux distributions.

Thomas

This is in response to an older thread that I do not think has been resolved or at least I can’t find a working resolution posted anywhere.

The initial e-mail thread, logs and responses can be found here http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html.

I’m running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8.

I’m not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

A summary of what happens:

User A logs in successfully, but is “served up” user B’s session. When users A looks top right for their username, they actually see someone else’s username and have access to their queues, etc as though user B had logged in. User A would then have to log off and back on and most times doing this once works.

User A and B can be from different groups. There seems to be no pattern to the accounts that are mixed up, and it happens quite randomly. Sometimes you login fine (as yourself) for 15 tries, and then on 16th, all of a sudden you’re logged in as someone else.

It happens often enough for it to be annoying and for then users to post updates as others by mistake.

It also happens on different browsers.

In looking at the changelog for RT-Authen-ExternalAuth, I don’t think that the two updates since have addresses this issue, if that plug-in is to blame.

Anyone had a similar issue, any ideas?

Thanks.

Kind regards,
Nic�le

Hi Nicole,

These issues have been traced to mod_cache and other cookie caching problems
previously. You do not need a proxy to have the problem. I would start looking
there.

Cheers,
Ken

Ok, thanks for the response, will check.

Kind regards,
Nicôle-----Original Message-----
From: ktm@rice.edu [mailto:ktm@rice.edu]
Sent: Tuesday, July 12, 2011 1:47 PM
To: Nicôle Layne-Balram
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] 3.8.x serious security issue with mixing

On Tue, Jul 12, 2011 at 01:43:09PM -0400, Nicôle Layne-Balram wrote:

This is in response to an older thread that I do not think has been resolved or at least I can’t find a working resolution posted anywhere.

The initial e-mail thread, logs and responses can be found here http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html.

I’m running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8.

I’m not using a proxy (just straight apache with one RT instance), the backend is remote MySQL and users have two options for authenticating - LDAP/Active Directory or the local RT DB.

A summary of what happens:

User A logs in successfully, but is “served up” user B’s session. When users A looks top right for their username, they actually see someone else’s username and have access to their queues, etc as though user B had logged in. User A would then have to log off and back on and most times doing this once works.

User A and B can be from different groups. There seems to be no pattern to the accounts that are mixed up, and it happens quite randomly. Sometimes you login fine (as yourself) for 15 tries, and then on 16th, all of a sudden you’re logged in as someone else.

It happens often enough for it to be annoying and for then users to post updates as others by mistake.

It also happens on different browsers.

In looking at the changelog for RT-Authen-ExternalAuth, I don’t think that the two updates since have addresses this issue, if that plug-in is to blame.

Anyone had a similar issue, any ideas?

Thanks.

Kind regards,
Nicôle

Hi Nicole,

These issues have been traced to mod_cache and other cookie caching problems
previously. You do not need a proxy to have the problem. I would start looking
there.

Cheers,
Ken