Unprivileged users need to log in twice

RT Users
1

Debian 5.0 upgraded fixed a session fixation vulnerability on December 1,
2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020). It seems
that when this happened, my installation now requires unprivileged users
to log in twice. At the first login, the username and password fields are
cleared and nothing seems to have happened. Put in the username and
password a second time and the user is logged in. Sometimes if I try to
log in as an unprivileged user, get put back to the login screen, then
login as a privileged user, I get logged in with diminished privileges.
Would someone please tell me what’s going on? Maybe now would be a good
time to upgrade to 3.8?

David Griffith
dgriffi@cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

2

David,

This is only the second report we’ve had of this failure mode, but it
is the second report.

Debian 5.0 upgraded fixed a session fixation vulnerability on December 1,
2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020). It seems
that when this happened, my installation now requires unprivileged users
to log in twice.

What version of RT are you using? Have you customized it in any way? Are
you using only RT’s built-in authentication system?

At the first login, the username and password fields are
cleared and nothing seems to have happened. Put in the username and
password a second time and the user is logged in. Sometimes if I try to
log in as an unprivileged user, get put back to the login screen, then
login as a privileged user, I get logged in with diminished privileges.

That sentence doesn’t make much sense to me. Can you take another shot
at it?

Would someone please tell me what’s going on? Maybe now would be a good
time to upgrade to 3.8?

RT 3.8 is much better than what came before, but we’d certainly not like
to have broken earlier releases with a security fix.

3

David,

This is only the second report we’ve had of this failure mode, but it
is the second report.

Debian 5.0 upgraded fixed a session fixation vulnerability on December 1,
2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020). It seems
that when this happened, my installation now requires unprivileged users
to log in twice.

What version of RT are you using? Have you customized it in any way? Are
you using only RT’s built-in authentication system?

I’m using 3.6.7 as installed through APT on Debian Lenny. Only RT’s
built-in authentication is being used. I haven’t customized it beyond
setting things in /etc/request-tracker3.6/RT_SiteConfig.pm. I haven’t
hacked around with the source code.

At the first login, the username and password fields are cleared and
nothing seems to have happened. Put in the username and password a
second time and the user is logged in. Sometimes if I try to log in as
an unprivileged user, get put back to the login screen, then login as a
privileged user, I get logged in with diminished privileges.

That sentence doesn’t make much sense to me. Can you take another shot
at it?

Go to http://foobar.com/rt and you see the RT login screen. Login as an
unprivileged user (Alice). The username and password field will blank
out. Type in Alice’s username and password again, and you’ll be logged in
as Alice. That’s the first part of the bug. The second part is when you
type in the username-password the second time. If at that point you
attempt to log in as a privileged user, you’ll log in, but your
permissions are that of an unprivileged user.

Would someone please tell me what’s going on? Maybe now would be a good
time to upgrade to 3.8?

RT 3.8 is much better than what came before, but we’d certainly not like
to have broken earlier releases with a security fix.

Er… Yeah! I’ve been waiting for Debian to get a move on and put RT 3.8
in the stable repositories, but with this zinger, I don’t think I can
wait. It’s time to install from source.

David Griffith
dgriffi@cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

4

Go to http://foobar.com/rt and you see the RT login screen. Login as an
unprivileged user (Alice). The username and password field will blank
out. Type in Alice’s username and password again, and you’ll be logged in
as Alice. That’s the first part of the bug.

What happens at http://foobar.com/rt/ vs /rt
Also, what is your URL after the initial failed login?

The second part is when you
type in the username-password the second time. If at that point you
attempt to log in as a privileged user, you’ll log in, but your
permissions are that of an unprivileged user.

This sounds like the initial login worked enough to get you redirected
to /rt/SelfService/ which would certainly make it appear that you’re
an unprivileged user when you then log in as Bob (the privileged user)

-kevin

5

Go to http://foobar.com/rt and you see the RT login screen. Login as an
unprivileged user (Alice). The username and password field will blank
out. Type in Alice’s username and password again, and you’ll be logged in
as Alice. That’s the first part of the bug.

What happens at http://foobar.com/rt/ vs /rt
Also, what is your URL after the initial failed login?

Trailing slash makes no difference. The URL after initial failed login is
http://foobar.com/rt/SelfService/

The second part is when you type in the username-password the second
time. If at that point you attempt to log in as a privileged user,
you’ll log in, but your permissions are that of an unprivileged user.

This sounds like the initial login worked enough to get you redirected
to /rt/SelfService/ which would certainly make it appear that you’re
an unprivileged user when you then log in as Bob (the privileged user)

I see. Any ideas of what’s going on?

In other news, I’m having trouble with getting 3.8.6 installed on Debian
Lenny. Make testdeps keeps giving me this:

SOME DEPENDENCIES WERE MISSING.
FASTCGI missing dependencies:
CGI >= 3.38 …MISSING
CGI version 3.38 required–this is only version 3.29
make: *** [testdeps] Error 1

I’m very keen to get this installed alongside my existing RT setup rather
than replacing it and having it go kablooie.

David Griffith
dgriffi@cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

6

Go to http://foobar.com/rt and you see the RT login screen. Login as an
unprivileged user (Alice). The username and password field will blank
out. Type in Alice’s username and password again, and you’ll be logged in
as Alice. That’s the first part of the bug.

What happens at http://foobar.com/rt/ vs /rt
Also, what is your URL after the initial failed login?

Trailing slash makes no difference. The URL after initial failed login is
http://foobar.com/rt/SelfService/

The second part is when you type in the username-password the second
time. If at that point you attempt to log in as a privileged user,
you’ll log in, but your permissions are that of an unprivileged user.

This sounds like the initial login worked enough to get you redirected
to /rt/SelfService/ which would certainly make it appear that you’re
an unprivileged user when you then log in as Bob (the privileged user)

I see. Any ideas of what’s going on?

Not without further digging, but at least we’ve explained the
unprivileged rights issue.

-kevin

7

Er… Yeah! I’ve been waiting for Debian to get a move on and put RT 3.8
in the stable repositories, but with this zinger, I don’t think I can
wait. It’s time to install from source.

Hi David,

I’m the principal Debian maintainer of RT, and I’ll certainly take a
look at the problem when I can (may not be until tomorrow evening
unfortunately).

I wonder if it is the same problem as

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560015.

While I’m here though, I thought I could point out a few things about
general RT packaging in Debian.

Debian stable’s update policy is not to upload new upstream releases
and we certainly wouldn’t update from 3.6 to 3.8 in unstable. You
can read more about this at

http://www.debian.org/doc/FAQ/ch-getting.en.html#s-updatestable

However…On Wed, Dec 09, 2009 at 12:26:53PM -0800, David Griffith wrote:

In other news, I’m having trouble with getting 3.8.6 installed on Debian
Lenny. Make testdeps keeps giving me this:

SOME DEPENDENCIES WERE MISSING.
FASTCGI missing dependencies:
CGI >= 3.38 …MISSING
CGI version 3.38 required–this is only version 3.29
make: *** [testdeps] Error 1

I’m very keen to get this installed alongside my existing RT setup rather
than replacing it and having it go kablooie.

… it is not particularly hard to install RT 3.8.6 from
squeeze (testing):

http://pkg-request-tracker.alioth.debian.org/

http://wiki.debian.org/AptPinning
and
http://www.backports.org/dokuwiki/doku.php

may also be useful. I have deployments of RT3.8 on both etch and lenny
and will generally make sure the packages work on both.

Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

signature.asc (189 Bytes)

8

Go to http://foobar.com/rt and you see the RT login screen. Login as an
unprivileged user (Alice). The username and password field will blank
out. Type in Alice’s username and password again, and you’ll be logged in
as Alice. That’s the first part of the bug.

What happens at http://foobar.com/rt/ vs /rt
Also, what is your URL after the initial failed login?

Trailing slash makes no difference. The URL after initial failed login is
http://foobar.com/rt/SelfService/

The second part is when you type in the username-password the second
time. If at that point you attempt to log in as a privileged user,
you’ll log in, but your permissions are that of an unprivileged user.

This sounds like the initial login worked enough to get you redirected
to /rt/SelfService/ which would certainly make it appear that you’re
an unprivileged user when you then log in as Bob (the privileged user)

I see. Any ideas of what’s going on?

Not without further digging, but at least we’ve explained the
unprivileged rights issue.

I’d be interested to know if the following patch fixes this on debian
stable. You should be able to apply it with

cd /usr/share/request-tracker3.6; patch < ErrHeadersOut.patch

and a restart of apache

-kevin

9

I’d be interested to know if the following patch fixes this on debian
stable. You should be able to apply it with

cd /usr/share/request-tracker3.6; patch < ErrHeadersOut.patch

and a restart of apache

Your patch seems to be missing :slight_smile:

Also I would like to advise against patching package-installed files
directly in this way – it’s a very good way of getting confused as to
which version of the software you have installed. I will happily supply
a test package if required.

Thanks for looking at this, and sorry that I haven’t been able to be
more proactive.

Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

signature.asc (197 Bytes)

10

While I’m here though, I thought I could point out a few things about
general RT packaging in Debian.

Debian stable’s update policy is not to upload new upstream releases
and we certainly wouldn’t update from 3.6 to 3.8 in unstable.

For the avoidance of doubt, this was a typo. unstable has had 3.8
since 2009-03-09.

Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

signature.asc (197 Bytes)

11

I’d be interested to know if the following patch fixes this on debian
stable. You should be able to apply it with

cd /usr/share/request-tracker3.6; patch < ErrHeadersOut.patch

and a restart of apache

Your patch seems to be missing :slight_smile:

Pull d9ab3597c6193ac82d93bc7882c06f8eab7cbc86 out of the git repo

Also I would like to advise against patching package-installed files
directly in this way – it’s a very good way of getting confused as to
which version of the software you have installed. I will happily supply
a test package if required.

Unfortunately, without rebuilding a .deb and making that available,
this seems the easiest way for someone to test the patch.

Thanks for looking at this, and sorry that I haven’t been able to be
more proactive.

I believe this will fix the report against lenny’s request-tracker3.6,
but I have no idea what is going on with etch’s request-tracker3.6 and
am unlikely to be able to install an etch system to test. The bug
report in the debian tracker sounded like mismatched url/cookies

-kevin

12

Pull d9ab3597c6193ac82d93bc7882c06f8eab7cbc86 out of the git repo

Also I would like to advise against patching package-installed files
directly in this way – it’s a very good way of getting confused as to
which version of the software you have installed. I will happily supply
a test package if required.

Unfortunately, without rebuilding a .deb and making that available,
this seems the easiest way for someone to test the patch.

Yeah, it’s a difficult problem. I’ll try and build a package with this
patch later on this evening in any case, in case that helps.
Another suggestion would be to give instructions that result in a
file in /usr/local/request-tracker3.6/lib instead.

Thanks for looking at this, and sorry that I haven’t been able to be
more proactive.

I believe this will fix the report against lenny’s request-tracker3.6,
but I have no idea what is going on with etch’s request-tracker3.6 and
am unlikely to be able to install an etch system to test. The bug
report in the debian tracker sounded like mismatched url/cookies

Okay, thanks.

Dominic.

Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

signature.asc (197 Bytes)

13

While I’m here though, I thought I could point out a few things about
general RT packaging in Debian.

Debian stable’s update policy is not to upload new upstream releases
and we certainly wouldn’t update from 3.6 to 3.8 in unstable.

For the avoidance of doubt, this was a typo. unstable has had 3.8
since 2009-03-09.

Unfortunately I need to have 3.8 in the stable branch or available in the
backports repository. This weird problem and the need to allow
unprivileged users to read RTFM articles prompted me to roll 3.8 on my
own.

David Griffith
dgriffi@cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

14

Pull d9ab3597c6193ac82d93bc7882c06f8eab7cbc86 out of the git repo

Also I would like to advise against patching package-installed files
directly in this way – it’s a very good way of getting confused as to
which version of the software you have installed. I will happily supply
a test package if required.

Unfortunately, without rebuilding a .deb and making that available,
this seems the easiest way for someone to test the patch.

Yeah, it’s a difficult problem. I’ll try and build a package with this
patch later on this evening in any case, in case that helps.
Another suggestion would be to give instructions that result in a
file in /usr/local/request-tracker3.6/lib instead.

I’ve put test packages at

http://people.debian.org/~dom/rt-test/

David, I’d be grateful if you could give these a spin.

Cheers,
Dominic.

Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

signature.asc (189 Bytes)

15

The double login prompt for unprivileged users was originally reported
by on RT3.6.

However, I just experienced it on 3.8.4 (installed from Ubuntu Karmic
package) after applying the RT patch for 3.8.0 - 3.8.5.

I tested that I definitely had the bug, only with unprivileged users
(1st login resulted in same blank login form but at the /SelfService/
url instead of the original $WebPath url), and only had it after
applying the security patch.

I fixed it by removing a partial condition from a section of the patch:

+unless ($session{‘CurrentUser’} && $session{CurrentUser}->id) {

became:

+unless ($session{‘CurrentUser’}

  • && $session{CurrentUser}->id

  • ) {

and now it works again.

Not sure what the consequence of this is, or if it is significant that
CurrentUser is enclosed in single quotes in one part of the condition
and none in the other.

Allen

16

Hi,On Tue, Dec 15, 2009 at 6:30 PM, Dominic Hargreaves dominic.hargreaves@oucs.ox.ac.uk wrote:

I’ve put test packages at

http://people.debian.org/~dom/rt-test/

David, I’d be grateful if you could give these a spin.

I installed your test packages and works fine to me.

Thank Kevin and you for the fix and the package.

Kind Regards.

Saudações,

Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy