Re: [rt-users] RT Upgrade problem
On Friday 02 of September 2011, Kevin Falcone wrote: On Thu, Sep 01, 2011 at 05:32:00PM +, Derek Rumig wrote: I was running 3.8.7 and had a user using the 3.5-default. Now he cannot login with 4.0.1 and gets the error Could not find component for path `/NoAuth/css/3.5-default/main.css' Anyone know where in the database you can set the users theme? Or if there is a way around this? There's a bug open for this http://issues.bestpractical.com/Ticket/Display.html?id=18271 (guest/guest) You can delete all of their preferences by finding the Attributes record named Pref-RT::System-1 with the appropriate ObjectType and ObjectIds Or just symlink 3.5-default to other existing theme dir, login and change theme in preferences. -kevin -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] disable quote folding in 4.x
On Monday 29 of August 2011, Arkadiusz Miskiewicz wrote: Is there a way to disable quote folding in 4.x? Some my users are confused by this new feature and unintentionally ignore important information :/ (feature request is to make this a per user setting) Using this hack for now. diff -ubB Ticket/Elements/ShowMessageStanza~ Ticket/Elements/ShowMessageStanza --- Ticket/Elements/ShowMessageStanza~ 2011-08-28 16:30:39.0 +0200 +++ Ticket/Elements/ShowMessageStanza 2011-08-30 11:48:17.262677292 +0200 @@ -107,7 +107,7 @@ $print_content-( \$para ); $para = ''; -$Depth++; +#$Depth++; push @stack, [ $Message, $i + 1 ]; ( $Message, $i ) = ( $stanza, -1 ); -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] mysql sphinx
On Monday 29 of August 2011, Alex Vandiver wrote:
Does that help to clarify the limitation?
Yes, it does. Thanks.
More questions follows. I see that sphinx is learning
only attachments with ContentType = 'text/plain' entries
which looks unfortunate since I have tons of html email.
Did indexing text/html and having html_strip=1 [1]
in sphinx produce any problems that caused only text/plain
to be choosen for indexation in rt-setup-fulltext-index?
1. http://sphinxsearch.com/docs/current.html#conf-html-strip
ps. here is my setup with delta indexes, could be useful for
other prople
source rt {
type= mysql
sql_host= localhost
sql_db = rt3
sql_user=
sql_pass=
sql_query_pre = SET NAMES utf8
sql_query_pre = REPLACE INTO SphinxCounters SELECT 1, MAX(id) FROM
Attachments
sql_query = \
SELECT a.id, a.content FROM Attachments a \
JOIN Transactions txn ON a.TransactionId = txn.id AND txn.ObjectType =
'RT::Ticket' \
JOIN Tickets t ON txn.ObjectId = t.id \
WHERE a.ContentType = 'text/plain' AND t.Status != 'deleted' \
AND a.id=( SELECT max_doc_id FROM SphinxCounters WHERE counter_id=1 )
sql_query_info = SELECT * FROM Attachments WHERE id=$id
}
source rt_delta : rt {
sql_query_pre = SET NAMES utf8
sql_query = \
SELECT a.id, a.content FROM Attachments a \
JOIN Transactions txn ON a.TransactionId = txn.id AND txn.ObjectType =
'RT::Ticket' \
JOIN Tickets t ON txn.ObjectId = t.id \
WHERE a.ContentType = 'text/plain' AND t.Status != 'deleted' \
AND a.id( SELECT max_doc_id FROM SphinxCounters WHERE counter_id=1 )
sql_query_info = SELECT * FROM Attachments WHERE id=$id
sql_query_post_index=
}
index rt {
source = rt
path= /var/lib/sphinx/rt.index
docinfo = extern
charset_type= utf-8
charset_table = 0..9, A..Z-a..z, a..z, U+0143-U+0144, U+0104-U+0105,
U+0106-U+0107, U+0118-U+0119, U+0141-U+0142, U+00D3-U+00F3, U+015A-U+015B,
U+0179-U+017A, U+017B-U+017C, U+0105, U+0107, U+0119, U+0142, U+00F3,
U+015B, U+017A, U+017C, U+0144
}
(various charset_table are required for many non-english languages)
index rt_delta : rt
{
source = rt_delta
path= /var/lib/sphinx/rt.delta.index
}
CREATE TABLE `AttachmentsIndex` (
`id` int(10) unsigned NOT NULL,
`weight` int(11) NOT NULL,
`query` varchar(3072) NOT NULL,
KEY `query` (`query`(255))
) ENGINE=SPHINX DEFAULT CHARSET=utf8
CONNECTION='sphinx://127.0.0.1:3312/rt,rt_delta'
(note, two indexes in CONNECTION)
CREATE TABLE `SphinxCounters` (
`counter_id` int(11) NOT NULL,
`max_doc_id` int(11) NOT NULL,
PRIMARY KEY (`counter_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
all indexes updated daily, rt_delta updated every 15 minutes
# cat /etc/cron.d/sphinx
@daily root /usr/bin/indexer --quiet --rotate --all
*/15 * * * * root /usr/bin/indexer --quiet --rotate rt_delta
--
Arkadiusz MiśkiewiczPLD/Linux Team
arekm / maven.plhttp://ftp.pld-linux.org/
RT Training Sessions (http://bestpractical.com/services/training.html)
* Chicago, IL, USA September 26 27, 2011
* San Francisco, CA, USA October 18 19, 2011
* Washington DC, USA October 31 November 1, 2011
* Melbourne VIC, Australia November 28 29, 2011
* Barcelona, Spain November 28 29, 2011
[rt-users] mysql sphinx
Hi, I'm going to setup full text search with mysql 5.5, sphinxse 2.1 and sphinxd 0.9.9. max_matches worries me, from docs: Take, for example, the instance where Sphinx is configured to return a maximum of three results, and tickets 1, 2, 3, 4, and 5 contain the string target, but only ticket 5 is in status Open. A search for Content LIKE 'target' AND Status = 'Open' may return no results, despite ticket 5 matching those criteria, as Sphinx will only return tickets 1, 2, and 3 as possible matches. This means that sphinx will never ever return new matching tickets that are above max_matches :-/ Would be acceptable if it use max_matches counting down from latest one but this doc suggests it's count from first one. I assume there is no solution for this other that use some huge number as max_matches? -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Monday 02 of November 2009, Jesse Vincent wrote:
Cache: no-cache but that will prevent caching at all. Seem to be no way
to prevent caching cookies from application side.
What's the current state of browser in-memory/on-disk caching with the
Cache: no-cache header?
The attached patch against 3.8.6 might be the right solution for you. I'd
consider making this change to RT if you can report back and tell me if
it does the right thing for you:
This patch doesn't solve the issue. People still get mixed sessions (test was
done after deleting all sessions from sessions table and restarting apache).
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index b82b638..dccf829 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage {
return unless $m-base_comp-path =~
RT-Config-Get('WebNoAuthRegex');
# If it's a noauth file, don't ask for auth.
-SendSessionCookie();
$m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS );
$m-abort;
}
--
Arkadiusz MiśkiewiczPLD/Linux Team
arekm / maven.plhttp://ftp.pld-linux.org/
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 30 of October 2009, Jesse Vincent wrote: On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? Well, what does mod_cache need to know not to cache requests? Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? ps. issues.apache.org is full of weird mod_cache related things -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Monday 26 of October 2009, Jesse Vincent wrote:
On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
On Friday 23 of October 2009, Jerrad Pierce wrote:
A tool like the firefox developer toolbar is an easy way to do
this.
HTTPFox might be a good solution too. You can simply tell it to start
tracking as you use RT, and stop it once you encounter the problem.
Examine the results, debug, and or sanitize and share.
Everyone experiencing the problem doesn't have to install the add-on,
just someone who has the issue.
Can I log session id here somehow?
lib/RT/Interface/Web.pm:
$RT::Logger-info(Successful login for @{[$ARGS-{user}]} from
$ENV{'REMOTE_ADDR'});
There are two bits you want to log:
* $session{_session_id}
* the session cookie the user sent: in 3.8.6, look at
LoadSessionFromCookie
So far it's like this:
- user logged as A
- suddently he becomes user B
- he logged off and on as A again
httpfox shows three session ids but I found only last one in sessions
table and it was user A session.
Logging out should be clearing that B session, so that bit isn't too
surprising..
Still trying to gather more info.
What's the correct place for logging information about which session has been
logged out (forced) or logged out via web interface?
Added this to _ForceLogout but it seems to be wrong since it logs some very
different session_ids...
sub _ForceLogout {
my $sid = $HTML::Mason::Commands::session{'_session_id'};
$RT::Logger-info(_ForceLogout session id $sid);
Jesse
--
Arkadiusz MiśkiewiczPLD/Linux Team
arekm / maven.plhttp://ftp.pld-linux.org/
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. Now I verified his and mine RT_SID cookie and... I have his cookie aka we both use the same cookie. I log session_id in rt.log at login, so I also checked that and had login for user B with that cookie logged in rt.log 20 minutes ago. sessions table in mysql contained that session_id of course. My initial cookie that I logged in as user A was also there in sessions table. So at the end I and user B we both have active sessions as user B with the same cookie. I even did few steps through rt on both computers to see if session_id will change but no - we are still logged in and still use the same session_id/cookie. (feature request: what I miss now is to make session contain IP address information for better security - so that session would work only from that one IP) -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. And now another story that happened just few minutes ago: I was logged in as A with session_id/cookie let say sessA. When doing something in rt I suddenly got login screen, huh! Checked sessions table - sessA was still there. So I changed cookie preferences in opera and set RT_SID cookie back to sessA, page refresh and... I'm as A, no need to log in! Which looks like my session (sessA) was still alive and working on rt side but somehow rt passed different session id/cookie to opera and opera used it which in the end caused login screen to appear. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Jesse Vincent wrote: On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. I really need to see protocol-level HTTP logs for both of these sessions. I need to see when/if RT handed you his cookie. One firefox user here has httpfox [1] running but so far he didn't have any problem for last 2 days :-( Our rt is running over ssl, so sniffing at wire level also not possible (or at least I don't know any working linux sniffer that could to that provided I have key/cert) Trying to get that. [1] it sucks a little as it doesn't have save log capability -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Jerrad Pierce wrote: [1] it sucks a little as it doesn't have save log capability Right click Copy all rows That doesn't copy headers data, cookies etc -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jerrad Pierce wrote:
A tool like the firefox developer toolbar is an easy way to do this.
HTTPFox might be a good solution too. You can simply tell it to start
tracking as you use RT, and stop it once you encounter the problem.
Examine the results, debug, and or sanitize and share.
Everyone experiencing the problem doesn't have to install the add-on,
just someone who has the issue.
Can I log session id here somehow?
lib/RT/Interface/Web.pm:
$RT::Logger-info(Successful login for @{[$ARGS-{user}]} from
$ENV{'REMOTE_ADDR'});
So far it's like this:
- user logged as A
- suddently he becomes user B
- he logged off and on as A again
httpfox shows three session ids but I found only last one in sessions table
and it was user A session.
User B was logged in on it's own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).
Will try to get more information...
--
Arkadiusz MiśkiewiczPLD/Linux Team
arekm / maven.plhttp://ftp.pld-linux.org/
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
[rt-users] 3.8.x serious security issue with mixing sessions
I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case Successful login for .. isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. Happens with different browsers, firefox, opera. Any ideas on how to debug it? perl packages are in fresh versions: apache-mod_perl-2.0.4-3.i686 openssl-tools-perl-0.9.8k-2.i686 perl-AI-DecisionTree-0.08-2.i686 perl-AnyData-0.10-4.noarch perl-Apache-DBI-1.06-1.noarch perl-Apache-Scoreboard-2.08-7.i686 perl-Apache-Session-1.88-1.noarch perl-Apache-Session-Wrapper-0.33-1.noarch perl-Apache-VMonitor-2.06-1.noarch perl-AppConfig-1.66-1.noarch perl-Authen-SASL-2.13-1.noarch perl-base-5.10.1-2.i686 perl-Bit-Vector-7.1-1.i686 perl-BSD-Resource-1.2901-2.i686 perl-Cache-DB_File-0.2-7.noarch perl-Cache-Simple-TimedExpiry-0.27-1.noarch perl-Calendar-Simple-1.19-1.noarch perl-Carp-Assert-0.20-2.noarch perl-Carp-Assert-More-1.12-3.noarch perl-Carp-Clan-6.00-1.noarch perl-CGI-3.48-1.noarch perl-CGI-LogCarp-1.12-10.noarch perl-CGI-SpeedyCGI-2.22-15.i686 perl-Chart-PNGgraph-1.21-7.noarch perl-Class-Accessor-0.34-1.noarch perl-Class-Accessor-Chained-0.01-2.noarch perl-Class-Container-0.12-2.noarch perl-Class-Data-Inheritable-0.08-1.noarch perl-Class-Inspector-1.24-1.noarch perl-Class-MakeMethods-1.01-2.noarch perl-Class-MethodMaker-2.11-2.i686 perl-Class-MixinFactory-0.92-2.noarch perl-Class-ReturnValue-0.55-1.noarch perl-Class-Singleton-1.4-1.noarch perl-Clone-0.31-1.i686 perl-Config-Tiny-2.12-2.noarch perl-Convert-ASN1-0.21-2.noarch perl-Convert-Recode-1.04-2.noarch perl-CSS-Squish-0.07-1.noarch perl-Curses-1.26-2.i686 perl-Curses-Forms-1.997-1.noarch perl-Curses-Widgets-1.997-5.noarch perl-Data-Flow-0.09-3.noarch perl-Data-ICal-0.13-5.noarch perl-Data-Library-0.1-1.noarch perl-Date-Calc-6.0-1.i686 perl-DateTime-0.50-1.i686 perl-DateTime-Event-ICal-0.09-2.noarch perl-DateTime-Event-Recurrence-0.16-4.noarch perl-DateTime-Format-ICal-0.09-1.noarch perl-DateTime-Format-Mail-0.3001-1.noarch perl-DateTime-Format-Strptime-1.0701-1.noarch perl-DateTime-Format-W3CDTF-0.04-1.noarch perl-DateTime-Locale-0.44-1.noarch perl-DateTime-Set-0.25-3.noarch perl-DateTime-TimeZone-0.72-1.noarch perl-DBD-AnyData-0.09-1.noarch perl-DBD-Chart-0.82-2.noarch perl-DBD-CSV-0.22-3.noarch perl-DBD-LDAP-0.10-1.i686 perl-DBD-mysql-4.013-1.i686 perl-DBD-ODBC-1.23-1.i686 perl-DBD-Pg-2.15.1-3.i686 perl-DBD-SQLite-1.25-1.i686 perl-DBD-Sybase-1.09-2.i686 perl-DBD-XBase-0.241-3.noarch perl-DB_File-1.820-2.i686 perl-DBI-1.608-1.i686 perl-DBI-ProfileDumper-Apache-1.608-1.i686 perl-DBIx-Abstract-1.006-2.noarch perl-DBIx-AbstractLite-0.02-5.noarch perl-DBIx-AnyDBD-2.01-4.noarch perl-DBIx-BLOB-Handle-0.2-6.noarch perl-DBIx-CGI-0.06-9.noarch perl-DBIx-ContextualFetch-1.03-2.noarch perl-DBIx-Copy-0.02-5.noarch perl-DBIx-Cursor-0.14-4.noarch perl-DBIx-DataLookup-0.03-5.noarch perl-DBIx-DataSource-0.02-5.noarch perl-DBIx-DBSchema-0.36-1.noarch perl-DBIx-Easy-1.40-2.noarch perl-DBIx-FetchLoop-0.41-1.noarch perl-DBIx-HTMLView-0.9-7.noarch perl-DBIx-Librarian-0.6-2.noarch perl-DBIx-Recordset-0.26-2.noarch perl-DBIx-SearchBuilder-1.56-1.noarch perl-DBIx-SQLEngine-0.93-3.noarch perl-DBIx-Table-0.04-5.noarch perl-DBIx-TableHash-1.04-4.noarch perl-DBIx-TextIndex-0.27-2.i686 perl-DBIx-XML_RDB-0.05-8.noarch perl-devel-5.10.1-2.i686 perl-Devel-StackTrace-1.22-1.noarch perl-Devel-Symdump-2.0602-2.noarch perl-Digest-HMAC-1.01-12.noarch
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jesse Vincent wrote: On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote: I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case Successful login for .. isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jesse Vincent wrote: No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. * Can you capture the cookies on User A, User B, and User C's systems for each HTTP hit to see if 1) they change and 2) they are the same? A tool like the firefox developer toolbar is an easy way to do this. That will be hard to do but will try to get some info (in reality it happens here for different users which I don't control but it also happened for me and my coworker). * Did this also happen with 3.8.5? I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6. Maybe other too, don't remember versions. Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik) but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl* packages were updated, too. Now why it was gone for some time it's unknown thing. There's a change to session handling in 3.8.6. Which git commit is that? -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
