This version fixes a cross-site scripting vulnerability reported on 9
February 2004. This issue, described in ticket #5249, involved the
display of user-entered subject lines as non-escaped html. The issue
is described in detail here (login as “guest” with password “guest”):
We strongly encourage all sites currently running RTIR to upgrade to
this release. Many thanks to Vytautas Krakauskas from LitNET NOC CERT
(vytautas@litnet.lt) for reporting this XSS issue.
This version of RTIR also features significant performance
improvements, and the addition of the requestor in the main page
listing of unlinked incident reports.
Bug fixes include:
no HTML escaping on pre-populated information for new incidents and
investigations
stealing an incident, incident report, investigation, or block
produces the proper owner for all related tickets
‘About RTIR’ link only appears when the user is inside of RTIR
The DutyTeam group receives ShowTemplate permissions by default, for
easier use of the Scripted Action tool.
This version fixes a cross-site scripting vulnerability reported on 9
February 2004. This issue, described in ticket #5249, involved the
display of user-entered subject lines as non-escaped html. The issue
is described in detail here (login as “guest” with password “guest”):
We strongly encourage all sites currently running RTIR to upgrade to
this release. Many thanks to Vytautas Krakauskas from LitNET NOC CERT
(vytautas@litnet.lt) for reporting this XSS issue.
This version of RTIR also features significant performance
improvements, and the addition of the requestor in the main page
listing of unlinked incident reports.
Bug fixes include:
no HTML escaping on pre-populated information for new incidents and
investigations
stealing an incident, incident report, investigation, or block
produces the proper owner for all related tickets
‘About RTIR’ link only appears when the user is inside of RTIR
The DutyTeam group receives ShowTemplate permissions by default, for
easier use of the Scripted Action tool.
“Delenda est Carthago” /Cato the Elder/ .d~^v
Przemyslaw Jaroszewski 8 E R T
CERT Polska, http://www.cert.pl/ `b.a’POLSKA|
przemek@cert.pl; tel.+48 22 5231377; fax.: +48 22 5231399