Permissions loophole?

RT Users
1

Hi,

I have recently installed the release version of RT3 onto a new server for testing as my company would like to switch over to using a ticketing system rather than standard email.

I have noticed one odd thing with the way it processes mail (although it may be my setup but I can’t see where), if there is a user on the system, e.g. autocreated by opening a ticket, they can reply to any other ticket by simply changing the number in the subject of the message and this reply will be forwarded onto the ticket requestor.

This does not seem correct to me as it would allow a spammer to randomly guess ticket numbers and then send mail to our customers using rt as the relay.

The only permissions I have set are to allow is for “Everyone” to be able to create tickets, no specific permissions are set for replying to tickets but RT still lets the mail through.

Have I made a mistake in the setup or is this a loophole in the program?

Cheers

James

2

I have noticed one odd thing with the way it processes mail (although it =
may be my setup but I can’t see where), if there is a user on the =
system, e.g. autocreated by opening a ticket, they can reply to any =
other ticket by simply changing the number in the subject of the message =
and this reply will be forwarded onto the ticket requestor.

This does not seem correct to me as it would allow a spammer to randomly =
guess ticket numbers and then send mail to our customers using rt as the =
relay.

I have same problem. We don’t want RT to sent mail out of RT, if the transaction
is originated via Email.

I think, we need some patch??

Best regards,
David

3

> I have noticed one odd thing with the way it processes mail

(although it =

> may be my setup but I can’t see where), if there is a user on the =

> system, e.g. autocreated by opening a ticket, they can reply to any =

> other ticket by simply changing the number in the subject of

the message =

> and this reply will be forwarded onto the ticket requestor.

I have same problem. We don’t want RT to sent mail out of RT, if

the transaction

is originated via Email.

I think you both need to check your permissions.
Grant ReplyToTicket to Requestor, not to Everyone.

Regards,

Martin

4

It should be fairly trivial to write a wrapper that
ensures that the email has the correct domain… As
a first wild hack at a trivial mail filter:

#!/usr/bin/perl -w
use strict;
my @email = ;
my $mailsent = 0;
foreach (@email) {
# We are only checking the header for a From field…
last if (/^\n$/);
if (/^From/) {
my $emailOK = 0;
# Insert code to grab and verify the email
# address here. If email is OK, set $emailOK
# to 1;
if ($emailOK) {
print foreach (@email);
$mailsent = 1;
last; # only want to send it once…
}
}
}
if (!$mailsent) {
# Do whatever you want with evil spam email here…
}

Then you could put in your aliases file:

rt-alias: “|/path/to/check | RT_COMMAND_HERE”

Should work without too much trouble… Biggest issue I can
see with this method is that it might send a blank email through
to RT if no valid email address is found. If RT ignores blank
input (hopefully it does… I haven’t tried it yet…) then you
will be set…

Advantage of doing it this way is if you want to have your
queues protected on a per-queue basis…

In theory, you could also pass it through procmail and get that
to do your mail filtering… That would be another way to do it…
I’m not sure if procmail rules can be set up for email aliases…
You would have to check that out more thoroughly… Would give
you a lot more flexibility with what to do with spammers, etc.
if you used procmail… Depending on how your email server is
setup, it might be more efficient than doing it through RT…

HTH

Greg

5

I think you both need to check your permissions.
Grant ReplyToTicket to Requestor, not to Everyone.

That would do it… :wink: Though you probably meant
to grant ReplyToTicket to Owner as well… :wink:

Greg

6

Hi,

Thanks, was my own stupidity I’m afraid, I had the correct settings on the
relevent queues but not on the global permissions which I had overlooked,
all working correctly now :slight_smile:

James----- Original Message -----
From: “Martin Schapendonk” martin.schapendonk@whitehorses.nl
To: “RT Users” rt-users@lists.fsck.com
Sent: Monday, March 31, 2003 7:58 AM
Subject: RE: [rt-users] permissions loophole?

> I have noticed one odd thing with the way it processes mail

(although it =

> may be my setup but I can’t see where), if there is a user on the =

> system, e.g. autocreated by opening a ticket, they can reply to any =

> other ticket by simply changing the number in the subject of

the message =

> and this reply will be forwarded onto the ticket requestor.

I have same problem. We don’t want RT to sent mail out of RT, if

the transaction

is originated via Email.

I think you both need to check your permissions.
Grant ReplyToTicket to Requestor, not to Everyone.

Regards,

Martin

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm