I just discovered a huge security hole in my RT implementation. I’m running v3.2.1 on Redhat with MySQL as a db. I have a couple of issues:
When a user logs into check their tickets (so the user is not an admin user), they are presented with NO open tickets (even though they have some open as a requestor) and in the CLOSED tickets view, they can see 6 tickets from another requestor that they should not be able to see at all!
As a regular user I can view ANY ticket by just inserting the ticket number in the URL. eg: http://tickets/SelfService/Display.html?id=515. This will show ticket #515. I tried this on a bunch of tickets and each time this limited access user could see EVERY ticket!!
These are two MAJOR issues for me as you can imagine and I’d like to know where to look to attempt to get this resolved. As a history, I recently built a new RT server and moved the DB over and recompiled RT. Not sure if this has anything to do with it, but I thought I’d throw it out there.
Alright - so I’m not making any progress on this. Could the issue be how I
have my permissions set? Below are my current global group rights. Any
groups not noted have no rights.
Any ideas?!!
System Groups:
Everyone:
CommentOnTicket
CreateTicket
ReplyToTicket
User defined groups
SupportStaff (this is a group of everyone who has admin rights to the
ticketing server)
AdminQueue
AdminUsers
CommentOnTicket
CreateTicket
DeleteTicket
ModifyACL
ModifyQueueWatchers
ModifyScrips
ModifySelf
ModifyTemplate
ModifyTicket
OwnTicket
ReplyToTicket
SeeQueue
ShowACL
ShowScrips
ShowTemplate
ShowTicket
ShowTicketComments
SuperUser
Watch
WatchAsAdminCc----- Original Message -----
From: Stevo
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 12, 2004 9:05 PM
Subject: [rt-users] HELP! Serious Security Issues Needing Resolution!
Hi All,
I just discovered a huge security hole in my RT implementation. I’m running
v3.2.1 on Redhat with MySQL as a db. I have a couple of issues:
When a user logs into check their tickets (so the user is not an admin
user), they are presented with NO open tickets (even though they have some
open as a requestor) and in the CLOSED tickets view, they can see 6 tickets
from another requestor that they should not be able to see at all!
As a regular user I can view ANY ticket by just inserting the ticket
number in the URL. eg: http://tickets/SelfService/Display.html?id=515.
This will show ticket #515. I tried this on a bunch of tickets and each
time this limited access user could see EVERY ticket!!
These are two MAJOR issues for me as you can imagine and I’d like to know
where to look to attempt to get this resolved. As a history, I recently
built a new RT server and moved the DB over and recompiled RT. Not sure if
this has anything to do with it, but I thought I’d throw it out there.
Alright - so I’m not making any progress on this. Could the issue be
how I
have my permissions set? Below are my current global group rights.
Any
groups not noted have no rights.
Any ideas?!!
System Groups:
Everyone:
CommentOnTicket
CreateTicket
ReplyToTicket
This should only be “ReplyToTicket” and “ShowTicket”
User defined groups
SupportStaff (this is a group of everyone who has admin rights to
the
ticketing server)
You had “SuperUser” in Your list. If they are SuperUser already, they
don’t need any further rights. You might want to limit the access to
something more sane.
Comment, ModifyTicket, OwnTicket, SeeQueue, ShowTicket,
ShowTicketComments, Watch,WatchAsAdminCC should suffice for limited
staff access if You want to keep Your colleagues from severely breaking
RT.
Regards,
Harald
Foote Cone & Belding
FCB/Wilkens, An der Alster 42, D-20099 Hamburg
Harald Wagener, Systemadministrator
Mail: hwagener@hamburg.fcb.com
Tel.: +49 40 2881 1252
Fax.: +49 40 2881 1217