Hi all,
The topic of XSS vulnerability came up in an internal discussion about
our pending upgrade to 3.8.x. We ran across a (very) old mailing list
post about RT 2 having XSS protections, nothing obvious since. Using
an “xss scriplet” one of the guys dug up I posted it into the message
box and created a new ticket. The resulting ticket displayed the
javascript exactly as I pasted it in. This tells me that there is
definitely some level of XSS prevention built into RT.
Any gotchas I should know about?
Drew
Drew Taylor * Web development & consulting
Email: drew@drewtaylor.com * Site implementation & hosting
Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
Hi all,
The topic of XSS vulnerability came up in an internal discussion about
our pending upgrade to 3.8.x. We ran across a (very) old mailing list
post about RT 2 having XSS protections, nothing obvious since. Using
an “xss scriplet” one of the guys dug up I posted it into the message
box and created a new ticket. The resulting ticket displayed the
javascript exactly as I pasted it in. This tells me that there is
definitely some level of XSS prevention built into RT.
There certainly is.
Any gotchas I should know about?
Nope. As always, we do take security issues very seriously and would
greatly appreciate it if you bring anything you discover to our
attention quickly and (initially) quietly to give us a chance to help RT
users mitigate issues before anyone has a chance to exploit a newly
discovered vulnerability.
The topic of XSS vulnerability came up in an internal discussion about
… This tells me that there is
definitely some level of XSS prevention built into RT.
There certainly is.
Any gotchas I should know about?
Nope. As always, we do take security issues very seriously and would
Well, we did find one gotcha though I can’t strictly call it RT’s
fauly. Creating tickets through the web UI does successfully escape
malicious output, but that doesn’t apply to tickets created via
RT::Client::REST. Is there a way I can get REST-generated tickets to
go through the same escaping as UI-generated tickets?
Thanks,
Drew
Drew Taylor * Web development & consulting
Email: drew@drewtaylor.com * Site implementation & hosting
Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
Well, we did find one gotcha though I can’t strictly call it RT’s
fauly. Creating tickets through the web UI does successfully escape
malicious output, but that doesn’t apply to tickets created via
RT::Client::REST. Is there a way I can get REST-generated tickets to
go through the same escaping as UI-generated tickets?
This module’s not supported by Best Practical, and closer to unsupported
right now. Dmitri et al. are handing out commit bits for google code (ick,
one of the reasons I’ve not yet made some fixes) if you’re interested.
Otherwise, you could submit a patch on rt.cpan.org
Cambridge Energy Alliance: Save money. Save the planet.