Urgent: disable search for new watchers

Hi,

RT is 3.6.1 on a debian system

we just found out that in the people section everyone who can login can
search for people. So a person who has the following rights:

CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

can go to the people section and do a search like:

userid doesn’t contain xyz

he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?

It might be disabled in a newer version, if so which would that be?

A quick search on the list didn’t give me an answer, therefore I have to
ask this. Sorry if it’s been on the list before.

Quick help is really appreciated, thanks in advance!!!

Regards
Violetta

________________________________ creating IT solutions
Violetta J. Wawryk science + computing ag
IT-Service Hagellocher Weg 73
phone +49 7071 9457 282 72070 Tuebingen, Germany
fax +49 7071 9457 211 www.science-computing.de
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier,
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Michel Lepert
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196

Violetta,

Why is it a security issue? If your privileges are allowing them to 

go to a user “Preferences”, then I understand, but to just know what
UserIds are on the system doesn’t seem like a big deal to me.

Kenn
LBNLOn 6/18/2009 7:28 AM, Violetta J. Wawryk wrote:

Hi,

RT is 3.6.1 on a debian system

we just found out that in the people section everyone who can login can
search for people. So a person who has the following rights:

CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

can go to the people section and do a search like:

userid doesn’t contain xyz

he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?

It might be disabled in a newer version, if so which would that be?

A quick search on the list didn’t give me an answer, therefore I have to
ask this. Sorry if it’s been on the list before.

Quick help is really appreciated, thanks in advance!!!

Regards
Violetta

Why is it a security issue? If your privileges are allowing them to
go to a user “Preferences”, then I understand, but to just know what
UserIds are on the system doesn’t seem like a big deal to me.
It gives them in a edge into trying to crack other accounts, because
they then already have half the authentication pair. On the other hand,
they can already determine the name of a privileged user by looking at
who owns their ticket or otherwise converse with them via RT.

Cambridge Energy Alliance: Save money. Save the planet.

Jerrad,

Yes, but you can keep them out of other accounts by removing so many 

global privileges and making them “Queue-level” privileges. That way, no
one can get into a Queue unless specifically allowed to by privileges.

Kenn
LBNLOn 6/18/2009 8:31 AM, Jerrad Pierce wrote:

On Thu, Jun 18, 2009 at 11:27, Ken Crockerkfcrocker@lbl.gov wrote:

Why is it a security issue? If your privileges are allowing them to
go to a user “Preferences”, then I understand, but to just know what
UserIds are on the system doesn’t seem like a big deal to me.

It gives them in a edge into trying to crack other accounts, because
they then already have half the authentication pair. On the other hand,
they can already determine the name of a privileged user by looking at
who owns their ticket or otherwise converse with them via RT.

Yes, but you can keep them out of other accounts by removing so many

global privileges and making them “Queue-level” privileges. That way, no one
can get into a Queue unless specifically allowed to by privileges.
I think you missed the “crack” part.

If I can get a list of usernames on a system, it’s that much easier to run a
dictionary attack against. So joeblow sees that admin1 is a valid account,
starts guessing passwords and eventually ends up logged in as admin1.
Farfetched, and not the most probable scenario/target(RT), but possible.

Cambridge Energy Alliance: Save money. Save the planet.

we just found out that in the people section everyone who can login
can
search for people. So a person who has the following rights:

CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

can go to the people section and do a search like:

userid doesn’t contain xyz

I suspect you also have granted ShowConfigTab, otherwise
these users wouldn’t see the Configuration menu.

There have been numerous fixes to this in the 3.8 series
and 3.6.7 was recently released to fix a different permissions issue

-kevin

  • Ken Crocker:

Violetta,

Why is it a security issue?

Email addresses themselves are considered valuable data by some
people. In this particular case, it might also reveal customer
contacts (which could be abused for various purposes, not just sending
spam).

Florian Weimer fweimer@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Violetta;

You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.

Regards;
Roy

Violetta J. Wawryk wrote:

Hello,

yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.

Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.

@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn’t even know that this one existed.

Email addresses themselves are considered valuable data by some
people. In this particular case, it might also reveal customer
contacts (which could be abused for various purposes, not just sending
spam).

@Florian: yes, you are absolutly right.

Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?

Thanks in advance
Violetta

Raed El-Hames schrieb:

Violetta;

You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.

Regards;
Roy

Violetta J. Wawryk wrote:

Hi,

RT is 3.6.1 on a debian system

we just found out that in the people section everyone who can login
can search for people. So a person who has the following rights:

CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

can go to the people section and do a search like:

userid doesn’t contain xyz

he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?

It might be disabled in a newer version, if so which would that be?

A quick search on the list didn’t give me an answer, therefore I have
to ask this. Sorry if it’s been on the list before.

Quick help is really appreciated, thanks in advance!!!

Regards
Violetta

________________________________ creating IT solutions
Violetta J. Wawryk science + computing ag
IT-Service Hagellocher Weg 73
phone +49 7071 9457 282 72070 Tuebingen, Germany
fax +49 7071 9457 211 www.science-computing.de
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier,
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Michel Lepert
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196

Because its not a security issue, your implementation might be wrong and
causing a security concern to you.
The “him” you are talking about is he a staff member? , if yes then in
my opinion there is no harm to let him see all the email addresses, I am
sure if he is to abuse any data available to him he would do that with
not just RT but all the other internal systems available to him.
If he is a customer or third party, then you would need to change the
way you are using RT with regard to customers/3rd party, and make them
un-privileged, un-priviledged users can still access RT and able to see
all tickets were they are the requesters, or even Cc with little
modification to the SelfService interface.

Regards;
Roy

Violetta J. Wawryk wrote:

Hello,

Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.

The “full” interface of RT is really intended as an interface for staff
which is likely why you’re finding that nobody else considers this a
security issue.

Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?

Certainly. Please email security@bestpractical.com. Thanks very much
for your diligence.

Best,
Jesse Vincent
Best Practical

yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been
made.

Thanks to all who answered. I cannot believe that noone ever thought
of
this as a security bug.

@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn’t even know that this one existed.

I just installed RT 3.6.1 and made a privileged tester user
that has been globally granted
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

When logging in as this user, I don’t see the Configuration tab.
How do I navigate to the User search page to test userid doesn’t
contain xyz?

-kevin

Kevin;

Open any of the tickets you can see and click on the People tab
Find people whose
User Id does n’t contain xyz and click Go!

Roy

Kevin Falcone wrote:> On Jun 19, 2009, at 4:22 AM, Violetta J. Wawryk wrote:

yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been
made.

Thanks to all who answered. I cannot believe that noone ever thought
of
this as a security bug.

@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn’t even know that this one existed.

I just installed RT 3.6.1 and made a privileged tester user
that has been globally granted
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

When logging in as this user, I don’t see the Configuration tab.
How do I navigate to the User search page to test userid doesn’t
contain xyz?

-kevin


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Open any of the tickets you can see and click on the People tab
Find people whose
User Id does n’t contain xyz and click Go!

Oh, that user search. I thought we were allowing
access to the user administration section

Thank you for a clearer bug report Raed

As Jesse said, the full UI is meant for staff, which
explains the ability to see other users. It isn’t clear
to me how people would want this fixed, since
removing the ability to search pretty much dooms
people to typing in email addresses incorrectly

-kevin

Oh, that user search. I thought we were allowing
access to the user administration section

Thank you for a clearer bug report Raed

As Jesse said, the full UI is meant for staff, which
explains the ability to see other users. It isn’t clear
to me how people would want this fixed, since
removing the ability to search pretty much dooms
people to typing in email addresses incorrectly

Agree , I think it was down to wrong implementation as I and Jesse
explained in an earlier posts.

Regards;

Roy

Violetta,

I just thought of an idea, but it would require a bit of work. Why 

not try create some views that have only the info you want these user to
see and then remove them from RT. They can still get to the RT info thru
the views, which SHOULD suffice, since they are gonna be creating
searchs and reports. I’m not sure how your infrastructure is where you
work, but we have many users that do NOT access RT, but create their own
SQL reports all the time thru the views. We’re on Orcale, but I’m sure
the same concept is doable with other DB’s. I even have some SQL that I
use to create the views. I’d be MORE than happy to send it to you and
you can modify the info as per your needs. They even have comments,
which you can’t get to in RT Query. Just a thought.

Kenn
LBNLOn 6/19/2009 1:22 AM, Violetta J. Wawryk wrote:

Hello,

yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.

Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.

@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn’t even know that this one existed.

Email addresses themselves are considered valuable data by some
people. In this particular case, it might also reveal customer
contacts (which could be abused for various purposes, not just sending
spam).

@Florian: yes, you are absolutly right.

Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?

Thanks in advance
Violetta

Raed El-Hames schrieb:

Violetta;

You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.

Regards;
Roy

Violetta J. Wawryk wrote:

Hi,

RT is 3.6.1 on a debian system

we just found out that in the people section everyone who can login
can search for people. So a person who has the following rights:

CreateTicket
ReplyToTicket
SeeQueue
ShowTicket

can go to the people section and do a search like:

userid doesn’t contain xyz

he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?

It might be disabled in a newer version, if so which would that be?

A quick search on the list didn’t give me an answer, therefore I have
to ask this. Sorry if it’s been on the list before.

Quick help is really appreciated, thanks in advance!!!

Regards
Violetta

Hi Kenn,

I might not understand your concept. What does such a view look like?
Our customner wants to check anytime which tickets are new, open and
resolved which I thought is the quickest via browsing the RT. Of course
I am happy to get more infomation about your views, but to be honest, in
my opinion RT should offer me that requirement.

Regards
Violetta

Ken Crocker schrieb:

Violetta,

I just thought of an idea, but it would require a bit of work. Why
not try create some views that have only the info you want these user to
see and then remove them from RT. They can still get to the RT info thru
the views, which SHOULD suffice, since they are gonna be creating
searchs and reports. I’m not sure how your infrastructure is where you
work, but we have many users that do NOT access RT, but create their own
SQL reports all the time thru the views. We’re on Orcale, but I’m sure
the same concept is doable with other DB’s. I even have some SQL that I
use to create the views. I’d be MORE than happy to send it to you and
you can modify the info as per your needs. They even have comments,
which you can’t get to in RT Query. Just a thought.

Kenn
LBNL
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier,
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Michel Lepert
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196

Violetta,

In Oracle (and I assume other DB's) a "View" is a way to allow users 

to “See” specific data on a database without allowing them to “See it
all” nor to change the data. It is “Realtime”. By using SQL, I create a
VIEW to RT Data. Meaning, a “psuedo-table”.LEt’s say I have 3 fields
from table 1, 2 fields from table 2, 8 fields from table 3 that I want
some users to see. I do NOT want them to see “other” information, nor do
I want these users to be able to modify any of the table data. So, I
create a “view” of these fields from the various tables and it is
accessed much like one would access a table in a DataBase. Hence the
term “View”. Your DBA could tell you if your environment has such a
thing. IF so, they can tell you how to create it. It is ALWAYS
accessible (via userid and password) as long as the DataBase is up and
the dat is NOT loaded, it is “filetered” so to speak. Think of it as a
WINDOW to the DataBase. You can’t see it all, you can only see what is
specified. Hope this helps.

Kenn
LBNLOn 6/22/2009 2:03 AM, Violetta J. Wawryk wrote:

Hi Kenn,

I might not understand your concept. What does such a view look like?
Our customner wants to check anytime which tickets are new, open and
resolved which I thought is the quickest via browsing the RT. Of
course I am happy to get more infomation about your views, but to be
honest, in my opinion RT should offer me that requirement.

Regards
Violetta

Ken Crocker schrieb:

Violetta,

I just thought of an idea, but it would require a bit of work. Why
not try create some views that have only the info you want these user
to see and then remove them from RT. They can still get to the RT
info thru the views, which SHOULD suffice, since they are gonna be
creating searchs and reports. I’m not sure how your infrastructure is
where you work, but we have many users that do NOT access RT, but
create their own SQL reports all the time thru the views. We’re on
Orcale, but I’m sure the same concept is doable with other DB’s. I
even have some SQL that I use to create the views. I’d be MORE than
happy to send it to you and you can modify the info as per your
needs. They even have comments, which you can’t get to in RT Query.
Just a thought.

Kenn
LBNL