Security Problem in 2.0.15

Warnke_Andreas · February 21, 2003, 3:24pm

Hello,

Administrators of RT can do everything on the server the wwwrun user can
do:

Write a Scrip like:

Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
“{$Ticket->Subject()}”,
a summary of which appears below.
Please don’t reply to this message. Your ticket has been
assigned an ID of [{$rtname} #{$Ticket->id()}].
{open DEBUG, “>>/etc/httpd/httpd.conf”; print DEBUG “#oh shit!”; close
DEBUG; $Transaction->Content()}

You can execute every perl code on the server even if you have no access
to the server. This is a bit scary - from my point of view. I hope, you
have set this straight with RT3 ?

Kind Regards
Andreas Warnke
Andreas Warnke
3SOFT GmbH, Frauenweiherst. 14, 91058 Erlangen
Tel.: +49-9131-7701-274 mailto:Andreas.Warnke@3SOFT.de
Fax: +49-9131-7701-333 http://www.3SOFT.de

darren_chamberlain · February 21, 2003, 4:09pm

Warnke, Andreas Andreas.Warnke@3SOFT.de [2003-02-21 10:23]:

You can execute every perl code on the server even if you have no
access to the server. This is a bit scary - from my point of view. I
hope, you have set this straight with RT3 ?

This is an issue with Text::Template, which the scrips use to embed Perl
into the body of the templates. Everything in { } is executed as Perl.

See the “Security Matters” section of the Text::Template docs.

(darren)

Do you realize how many holes there could be if people would
just take the time to take the dirt out of them?