yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.
Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.
@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn’t even know that this one existed.
Email addresses themselves are considered valuable data by some
people. In this particular case, it might also reveal customer
contacts (which could be abused for various purposes, not just sending
@Florian: yes, you are absolutly right.
Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
Thanks in advance
Raed El-Hames schrieb:
You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.
Violetta J. Wawryk wrote:
RT is 3.6.1 on a debian system
we just found out that in the people section everyone who can login
can search for people. So a person who has the following rights:
can go to the people section and do a search like:
userid doesn’t contain xyz
he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?
It might be disabled in a newer version, if so which would that be?
A quick search on the list didn’t give me an answer, therefore I have
to ask this. Sorry if it’s been on the list before.
Quick help is really appreciated, thanks in advance!!!
________________________________ creating IT solutions
Violetta J. Wawryk science + computing ag
IT-Service Hagellocher Weg 73
phone +49 7071 9457 282 72070 Tuebingen, Germany
fax +49 7071 9457 211 www.science-computing.de
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Roland Niemeier,
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196