I have a very serious security problem with 3.8 installation (3.8.6 currently).
Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case "Successful login for .." isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. Happens with different browsers, firefox, opera. Any ideas on how to debug it? perl packages are in fresh versions: apache-mod_perl-2.0.4-3.i686 openssl-tools-perl-0.9.8k-2.i686 perl-AI-DecisionTree-0.08-2.i686 perl-AnyData-0.10-4.noarch perl-Apache-DBI-1.06-1.noarch perl-Apache-Scoreboard-2.08-7.i686 perl-Apache-Session-1.88-1.noarch perl-Apache-Session-Wrapper-0.33-1.noarch perl-Apache-VMonitor-2.06-1.noarch perl-AppConfig-1.66-1.noarch perl-Authen-SASL-2.13-1.noarch perl-base-5.10.1-2.i686 perl-Bit-Vector-7.1-1.i686 perl-BSD-Resource-1.2901-2.i686 perl-Cache-DB_File-0.2-7.noarch perl-Cache-Simple-TimedExpiry-0.27-1.noarch perl-Calendar-Simple-1.19-1.noarch perl-Carp-Assert-0.20-2.noarch perl-Carp-Assert-More-1.12-3.noarch perl-Carp-Clan-6.00-1.noarch perl-CGI-3.48-1.noarch perl-CGI-LogCarp-1.12-10.noarch perl-CGI-SpeedyCGI-2.22-15.i686 perl-Chart-PNGgraph-1.21-7.noarch perl-Class-Accessor-0.34-1.noarch perl-Class-Accessor-Chained-0.01-2.noarch perl-Class-Container-0.12-2.noarch perl-Class-Data-Inheritable-0.08-1.noarch perl-Class-Inspector-1.24-1.noarch perl-Class-MakeMethods-1.01-2.noarch perl-Class-MethodMaker-2.11-2.i686 perl-Class-MixinFactory-0.92-2.noarch perl-Class-ReturnValue-0.55-1.noarch perl-Class-Singleton-1.4-1.noarch perl-Clone-0.31-1.i686 perl-Config-Tiny-2.12-2.noarch perl-Convert-ASN1-0.21-2.noarch perl-Convert-Recode-1.04-2.noarch perl-CSS-Squish-0.07-1.noarch perl-Curses-1.26-2.i686 perl-Curses-Forms-1.997-1.noarch perl-Curses-Widgets-1.997-5.noarch perl-Data-Flow-0.09-3.noarch perl-Data-ICal-0.13-5.noarch perl-Data-Library-0.1-1.noarch perl-Date-Calc-6.0-1.i686 perl-DateTime-0.50-1.i686 perl-DateTime-Event-ICal-0.09-2.noarch perl-DateTime-Event-Recurrence-0.16-4.noarch perl-DateTime-Format-ICal-0.09-1.noarch perl-DateTime-Format-Mail-0.3001-1.noarch perl-DateTime-Format-Strptime-1.0701-1.noarch perl-DateTime-Format-W3CDTF-0.04-1.noarch perl-DateTime-Locale-0.44-1.noarch perl-DateTime-Set-0.25-3.noarch perl-DateTime-TimeZone-0.72-1.noarch perl-DBD-AnyData-0.09-1.noarch perl-DBD-Chart-0.82-2.noarch perl-DBD-CSV-0.22-3.noarch perl-DBD-LDAP-0.10-1.i686 perl-DBD-mysql-4.013-1.i686 perl-DBD-ODBC-1.23-1.i686 perl-DBD-Pg-2.15.1-3.i686 perl-DBD-SQLite-1.25-1.i686 perl-DBD-Sybase-1.09-2.i686 perl-DBD-XBase-0.241-3.noarch perl-DB_File-1.820-2.i686 perl-DBI-1.608-1.i686 perl-DBI-ProfileDumper-Apache-1.608-1.i686 perl-DBIx-Abstract-1.006-2.noarch perl-DBIx-AbstractLite-0.02-5.noarch perl-DBIx-AnyDBD-2.01-4.noarch perl-DBIx-BLOB-Handle-0.2-6.noarch perl-DBIx-CGI-0.06-9.noarch perl-DBIx-ContextualFetch-1.03-2.noarch perl-DBIx-Copy-0.02-5.noarch perl-DBIx-Cursor-0.14-4.noarch perl-DBIx-DataLookup-0.03-5.noarch perl-DBIx-DataSource-0.02-5.noarch perl-DBIx-DBSchema-0.36-1.noarch perl-DBIx-Easy-1.40-2.noarch perl-DBIx-FetchLoop-0.41-1.noarch perl-DBIx-HTMLView-0.9-7.noarch perl-DBIx-Librarian-0.6-2.noarch perl-DBIx-Recordset-0.26-2.noarch perl-DBIx-SearchBuilder-1.56-1.noarch perl-DBIx-SQLEngine-0.93-3.noarch perl-DBIx-Table-0.04-5.noarch perl-DBIx-TableHash-1.04-4.noarch perl-DBIx-TextIndex-0.27-2.i686 perl-DBIx-XML_RDB-0.05-8.noarch perl-devel-5.10.1-2.i686 perl-Devel-StackTrace-1.22-1.noarch perl-Devel-Symdump-2.0602-2.noarch perl-Digest-HMAC-1.01-12.noarch perl-Digest-SHA1-2.11-3.i686 perl-dirs-2.1-18.i686 perl-Email-Abstract-3.001-1.noarch perl-Email-Address-1.889-1.noarch perl-Email-Date-Format-1.002-1.noarch perl-Email-Simple-2.005-1.noarch perl-Encode-2.37-1.i686 perl-Error-0.15-7.noarch perl-Error-Dumb-0.02-4.noarch perl-Exception-Class-1.26-1.noarch perl-ExtUtils-MakeMaker-6.54-1.noarch perl-FCGI-0.67-7.i686 perl-File-Find-Rule-0.30-2.noarch perl-File-ShareDir-1.00-2.noarch perl-File-Slurp-9999.12-1.noarch perl-File-Slurp-Tree-1.24-1.noarch perl-Font-AFM-1.19-3.noarch perl-GD-2.44-1.i686 perl-GD-Graph-1.4308-5.noarch perl-GD-TextUtil-0.86-3.noarch perl-GnuPG-Interface-0.36-1.noarch perl-GraphViz-2.02-2.noarch perl-GSSAPI-0.26-4.i686 perl-GTop-0.15-3.i686 perl-Hook-LexWrap-0.20-1.noarch perl-HTML-Format-2.04-2.noarch perl-HTML-Mason-1.42-1.noarch perl-HTML-Parser-3.62-1.i686 perl-HTML-RewriteAttributes-0.03-1.noarch perl-HTML-Scrubber-0.08-2.noarch perl-HTML-Stream-1.60-1.noarch perl-HTML-Tagset-3.20-1.noarch perl-HTML-Template-2.9-1.noarch perl-HTML-Template-Extension-0.26-1.noarch perl-HTML-Tree-3.23-1.noarch perl-HTTP-Response-Encoding-0.06-1.noarch perl-HTTP-Server-Simple-0.41-1.noarch perl-HTTP-Server-Simple-Mason-0.13-1.noarch perl-IO-Socket-INET6-2.56-1.noarch perl-IO-Socket-SSL-1.31-1.noarch perl-IO-String-1.08-2.noarch perl-IO-stringy-2.110-2.noarch perl-IPC-Run-0.84-1.noarch perl-ldap-0.39-1.noarch perl-libapreq2-2.12-1.i686 perl-libs-5.10.1-2.i686 perl-libwww-5.833-1.noarch perl-List-MoreUtils-0.22-4.i686 perl-Locale-Maketext-1.13-2.noarch perl-Locale-Maketext-Fuzzy-0.10-1.noarch perl-Locale-Maketext-Lexicon-0.77-1.noarch perl-Log-Channel-0.7-2.noarch perl-Log-Dispatch-2.26-1.noarch perl-Log-Dispatch-Config-1.02-1.noarch perl-LWP-Parallel-2.57-2.noarch perl-Mail-GnuPG-0.15-1.noarch perl-Mail-POP3Client-2.18-1.noarch perl-Mail-SpamAssassin-3.2.5-2.i686 perl-Mail-SPF-Query-1.999.1-2.noarch perl-MailTools-2.04-1.noarch perl-MasonX-Interp-WithCallbacks-1.17-1.noarch perl-MasonX-Lexer-MSP-0.11-2.noarch perl-MasonX-Profiler-0.06-2.noarch perl-MasonX-Request-ExtendedCompRoot-0.03-2.noarch perl-MasonX-Request-ExtendedCompRoot-WithApacheSession-0.03-1.noarch perl-MasonX-Request-HTMLTemplate-0.05-1.noarch perl-MasonX-Request-WithApacheSession-0.30-1.noarch perl-MasonX-Resolver-CVS-0.02-1.noarch perl-MIME-Base64-3.07-3.i686 perl-MIME-Explode-0.38-2.i686 perl-MIME-Fast-1.6-2.i686 perl-MIME-Lite-3.027-1.noarch perl-MIME-tools-5.427-1.noarch perl-MIME-Types-1.28-1.noarch perl-mod_perl-2.0.4-3.i686 perl-modules-5.10.1-2.i686 perl-Module-Versions-Report-1.06-1.noarch perl-Net-CIDR-Lite-0.20-2.noarch perl-Net-Daemon-0.43-2.noarch perl-Net-DNS-0.65-2.i686 perl-Net-IP-1.25-2.noarch perl-Net-Jabber-2.0-2.noarch perl-Net-Server-0.97-3.noarch perl-Net-SSLeay-1.30-5.i686 perl-Net-XMPP-1.02-1.noarch perl-Number-Compare-0.01-4.noarch perl-Params-CallbackRequest-1.19-1.noarch perl-Params-Util-1.00-2.i686 perl-Params-Validate-0.91-2.i686 perl-parent-0.223-1.noarch perl-Parse-RecDescent-1.962.2-1.noarch perl-PerlIO-eol-0.14-3.i686 perl-PlRPC-0.2020-1.noarch perl-Pod-Escapes-1.04-2.noarch perl-Pod-Tree-1.16-1.noarch perl-POE-1.268-1.noarch perl-PPI-1.206-1.noarch perl-Regexp-Common-2.122-1.noarch perl-relative-0.04-1.noarch perl-RT-Client-REST-0.37-1.noarch perl-Scalar-List-Utils-1.21-1.i686 perl-Set-Infinite-0.63-1.noarch perl-Socket6-0.23-1.i686 perl-SQL-Statement-1.15-2.noarch perl-Sys-Hostname-Long-1.4-2.i686 perl-Template-Toolkit-2.22-1.i686 perl-Term-ReadKey-2.30-5.i686 perl-Test-Email-0.07-2.noarch perl-Test-HTTP-Server-Simple-0.03-1.noarch perl-Test-HTTP-Server-Simple-StashWarnings-0.03-2.noarch perl-Test-LongString-0.11-1.noarch perl-Test-WWW-Mechanize-1.24-1.noarch perl-Text-Autoformat-1.666.0-1.noarch perl-Text-CSV_XS-0.67-1.i686 perl-Text-Glob-0.08-1.noarch perl-Text-Quoted-2.05-1.noarch perl-Text-Reform-1.20-1.noarch perl-Text-Template-1.45-1.noarch perl-Text-vFile-asData-0.05-2.noarch perl-Text-WikiFormat-0.79-2.noarch perl-Text-Wrapper-1.02-1.noarch perl-Tie-Watch-1.2-3.noarch perl-TimeDate-1.19-1.noarch perl-Time-modules-2006.0814-1.noarch perl-Tk-804.028-5.i686 perl-tools-pod-5.10.1-2.i686 perl-Tree-DAG_Node-1.06-1.noarch perl-Tree-MultiNode-1.0.10-2.noarch perl-Tree-Nary-1.3-2.noarch perl-Tree-RedBlack-0.5-1.noarch perl-Tree-Simple-1.18-1.noarch perl-Tree-Simple-VisitorFactory-0.10-2.noarch perl-Tree-Trie-1.5-1.noarch perl-UNIVERSAL-require-0.11-1.noarch perl-URI-1.40-1.noarch perl-Want-0.18-2.i686 perl-WWW-Mechanize-1.60-1.noarch perl-XML-NamespaceSupport-1.10-1.noarch perl-XML-Parser-2.36-5.i686 perl-XML-RSS-1.46-1.noarch perl-XML-SAX-0.96-1.noarch perl-XML-Simple-2.18-2.noarch perl-XML-Stream-1.22-3.noarch perl-YAML-0.68-1.noarch config: # grep -v '^#' /etc/rt3/RT_SiteConfig.pm | grep -v '^$' Set($rtname, 'domena.pl'); Set($EmailSubjectTagRegex, qr/(?:bla1\.eu|bla2\.pl)/i ); Set($Organization , "Something"); Set($Timezone , 'Europe/Warsaw'); Set($DatabaseUser , 'someuser'); Set($DatabasePassword , 'somepass'); Set($DatabaseName , 'rt3'); Set($OwnerEmail , 'sysad...@ble3.pl'); Set($LoopsToRTOwner , 0); Set($StoreLoops , 0); Set($MaxAttachmentSize , 10000000); Set($RTAddressRegexp , '^...@rt.ble.pl$'); Set($CanonicalizeOnCreate , 0); Set($CorrespondAddress , 'sysad...@ble3.pl'); Set($CommentAddress , 'sysad...@ble3.pl'); Set($MailCommand , 'sendmailpipe'); Set($SendmailArguments , "-oi -t"); Set($SendmailBounceArguments , '-f "<>"'); Set($UseFriendlyFromLine , 1); Set($FriendlyFromLineFormat , "\"%s via RT\" <%s>"); Set($UseFriendlyToLine , 1); Set($NotifyActor, 0); Set($RecordOutgoingEmail, 1); Set($LogToSyslog , 'error'); Set($LogToScreen , 'error'); Set($LogToFile , 'debug'); Set($LogDir, '/var/log'); Set($LogToFileNamed , "rt.log"); #log to rt.log Set($WebPath , ""); Set($WebPort , 443); Set($WebBaseURL , "https://rt.ble.eu"); Set($WebURL , $WebBaseURL . $WebPath . "/"); Set($WebImagesURL , $WebPath . "/NoAuth/images/"); Set($LogoURL , $WebImagesURL . "bplogo.gif"); Set($MessageBoxRichText, 0); Set($MessageBoxWidth , 120); Set($MessageBoxHeight, 25); Set($WikiImplicitLinks, 0); Set($MaxInlineBody, 15728640); Set($DefaultSummaryRows, 50); Set($OldestTransactionsFirst, '1'); Set($ShowTransactionImages, 1); Set($HomepageComponents, [qw(QuickCreate Quicksearch MyAdminQueues MySupportQueues MyReminders RefreshHomepage)]); @EmailInputEncodings = qw(utf-8 iso-8859-2 iso-8859-1 us-ascii) unless (@EmailInputEncodings); Set($EmailOutputEncoding , 'utf-8'); Set($DateDayBeforeMonth , 1); Set($AmbiguousDayInPast , 1); Set($TrustHTMLAttachments, 1); Set(%GnuPGOptions, homedir => '/var/lib/rt-gpg', ); Set($AutoLogoff, 180); Set($WebSecureCookies, 1); 1; part of vhost config: DocumentRoot /usr/share/rt3/html Alias /NoAuth/images/ /usr/share/rt3/html/NoAuth/images/ Alias /error/ "/home/services/httpd/error/" AddDefaultCharset UTF-8 PerlModule Apache2::compat PerlModule Apache::DBI PerlRequire /usr/bin/webmux.pl <Location /error> </Location> <Location /> AuthUserFile /somefile AuthGroupFile /dev/null AuthName Strefa-admin AuthType Basic AddDefaultCharset UTF-8 Options ExecCGI SetHandler perl-script PerlHandler RT::Mason </Location> ps. I didn't have this problem for some time but it started to happen again :/ -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com