RT 2.0.x, up to and including 2.0.6 has a possible security hole, whereby
if the ticket owner views a ticket and then another privileged user looks
at the same ticket within the same server process, a variable scoping bug
may let the second user access data that he shouldn’t be able to.
The fix is a simple change to RT::User::_HasRight, as appears in the diff
below. No matter what, this bug doesn’t open your RT database up to end-user
requestors, because the web interface imposes an extra check for them.
RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I’m dropping into the source.
RCS file: /raid/cvsroot/rt/lib/RT/Attic/User.pm,v
retrieving revision 184.108.40.206
diff -r220.127.116.11 User.pm
< my ($Requestor, $Cc, $AdminCc);
my ($IsRequestor, $IsCc, $IsAdminCc, $IsOwner);
http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.
rt-announce mailing list