"Security hole" in Transaction handling

Here is the problem:

3 queues: support,bugs,test

RT 3.0.10

For each queue, a group right for (Create ticket, Reply to ticket) to
Non-privileged users.

(classic setup I think)

Now I wan’t to use SelfService and put a user in a group which as only ShowQueue and
ShowTicket rights in the “bugs” queue. This User as no other rights.

On a ticket from bugs queue, belong to him, he can select the "Reply"
link (over a transaction) and reply to the transaction. The new page
show the quoted transaction…

But he can also use this URL and provide any TransactionNumber in
"QuoteTransaction" and as the reply quote the message … he can see any
transaction!!

https://ssl.mydomain.tld/rt/SlefService/Update.html?id=466&QuoteTransaction=3360&Action=Respond

Maybe I’m missing something, but if not, I consider this as a security
hole since any logged user can show any transaction…

AW, thanks for making RT a so cool GPL software!

Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l’Ouest - 75014 Paris - France - M�tro Gait�
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com

Emmanuel,

Thank you very much for reporting this perceived issue. However, I
think (and an initial test confirms) that the exploit you describe
isn’t possible.
If you have a look at lib/RT/Attachment_Overlay.pm, you’ll see that
“sub Content” calls “sub _Value”, which performs an access control
check, to prevent exactly what you’ve described.

FWIW, I’ve hidden a secret message in transaction 25493 on
rt3.fsck.com. If you can actually bypass RT’s access control
mechanism, I’d love to know what that message says :wink:

Best,
Jesse Vincent
Best Practical

Here is the problem:

3 queues: support,bugs,test

RT 3.0.10

For each queue, a group right for (Create ticket, Reply to ticket) to
Non-privileged users.

(classic setup I think)

Now I wan’t to use SelfService and put a user in a group which as only
ShowQueue and
ShowTicket rights in the “bugs” queue. This User as no other rights.

But have you granted “Everyone” rights? Or possibly “Unprivileged users”

PGP.sig (186 Bytes)

Hi again,

Sorry, I mistakes. After some mails exchanges with Rt staff, I’ve found
that it was a problem on my RT, I was using wrong rights:

On each queue:

everyone group: create ticket, reply to ticket

I have now:

everyone group: create ticket
requetors and ccs groups: reply to ticket

Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l’Ouest - 75014 Paris - France - M�tro Gait�
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com