Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
This patch doesn't solve the issue. People still get mixed sessions (test was done after deleting all sessions from sessions table and restarting apache). Hang on. is mod_cache caching more than the files marked static, never changes? Since this patch should stop RT from putting cookie headers on any static content (and a fair bit more taht we can get away without them on) -j diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ -- ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. What's the current state of browser in-memory/on-disk caching with the Cache: no-cache header? The attached patch against 3.8.6 might be the right solution for you. I'd consider making this change to RT if you can report back and tell me if it does the right thing for you: diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Monday 02 of November 2009, Jesse Vincent wrote: Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. What's the current state of browser in-memory/on-disk caching with the Cache: no-cache header? The attached patch against 3.8.6 might be the right solution for you. I'd consider making this change to RT if you can report back and tell me if it does the right thing for you: This patch doesn't solve the issue. People still get mixed sessions (test was done after deleting all sessions from sessions table and restarting apache). diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 30 of October 2009, Jesse Vincent wrote: On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? Well, what does mod_cache need to know not to cache requests? Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? ps. issues.apache.org is full of weird mod_cache related things -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? Well, what does mod_cache need to know not to cache requests? ps. issues.apache.org is full of weird mod_cache related things -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ -- ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com