RTIR 1.0.4 now available - Fixes XSS vulnerability

RTIR
1

I’m pleased to announce that RT for Incident Response 1.0.4 is now
available at:

http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz

This version fixes a cross-site scripting vulnerability reported on 9
February 2004. This issue, described in ticket #5249, involved the
display of user-entered subject lines as non-escaped html. The issue
is described in detail here (login as “guest” with password “guest”):

http://rt3.fsck.com/Ticket/Display.html?id=5249

We strongly encourage all sites currently running RTIR to upgrade to
this release. Many thanks to Vytautas Krakauskas from LitNET NOC CERT
(vytautas@litnet.lt) for reporting this XSS issue.

This version of RTIR also features significant performance
improvements, and the addition of the requestor in the main page
listing of unlinked incident reports.

Bug fixes include:

  • no HTML escaping on pre-populated information for new incidents and
    investigations

  • stealing an incident, incident report, investigation, or block
    produces the proper owner for all related tickets

  • ‘About RTIR’ link only appears when the user is inside of RTIR

  • The DutyTeam group receives ShowTemplate permissions by default, for
    easier use of the Scripted Action tool.

Best,
Linda Julien
Best Practical

2

At 16:07 -0500 10-02-2004, Linda Julien wrote:

I’m pleased to announce that RT for Incident Response 1.0.4 is now
available at:

http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz

This version fixes a cross-site scripting vulnerability reported on 9
February 2004. This issue, described in ticket #5249, involved the
display of user-entered subject lines as non-escaped html. The issue
is described in detail here (login as “guest” with password “guest”):

http://rt3.fsck.com/Ticket/Display.html?id=5249

We strongly encourage all sites currently running RTIR to upgrade to
this release. Many thanks to Vytautas Krakauskas from LitNET NOC CERT
(vytautas@litnet.lt) for reporting this XSS issue.

This version of RTIR also features significant performance
improvements, and the addition of the requestor in the main page
listing of unlinked incident reports.

Bug fixes include:

  • no HTML escaping on pre-populated information for new incidents and
    investigations

  • stealing an incident, incident report, investigation, or block
    produces the proper owner for all related tickets

  • ‘About RTIR’ link only appears when the user is inside of RTIR

  • The DutyTeam group receives ShowTemplate permissions by default, for
    easier use of the Scripted Action tool.

Best,
Linda Julien
Best Practical

RTIR mailing list
RTIR@lists.bestpractical.com
The rtir Archives

I would be happy to give it a shot to upgrade, If only the file would
be available at the URL supplied…

Best regards.

Brussels University
Pleinlaan 2
Computer Center VUB/ULB (VUBnet)
Ing. Robert Jansen
B-1050 Brussels
Belgium (Europe)

email: rjansen@vub.ac.be
Tel: +32-2-650.36.94
Secr: +32-2-650.37.38
Fax: +32-2-650.37.40

3

I’m pleased to announce that RT for Incident Response 1.0.4 is now
available at:

http://www.fsck.com/pub/rt/devel/rtir-1-0-4.tar.gz

I would be happy to give it a shot to upgrade, If only the file would
be available at the URL supplied…

The URL is broken indeed.

You might consider checking
http://www.bestpractical.com/rtir/download.html

Best regards,
Przemek

“Delenda est Carthago” /Cato the Elder/ .d~^v
Przemyslaw Jaroszewski 8 E R T
CERT Polska, http://www.cert.pl/ `b.a’POLSKA|
przemek@cert.pl; tel.+48 22 5231377; fax.: +48 22 5231399

4

I would be happy to give it a shot to upgrade, If only the file would
be available at the URL supplied…

Sorry about that. You can find it at:

http://www.fsck.com/pub/rt/release/rtir-1-0-4.tar.gz

Linda