[rt-users] 3.8.x serious security issue with mixing sessions

I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Friday 23 of October 2009, Jesse Vincent wrote: On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote: I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Friday 23 of October 2009, Jesse Vincent wrote: No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. * Can you

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Friday 23 of October 2009, Jerrad Pierce wrote: A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too. You can simply tell it to start tracking as you use RT, and stop it once you encounter the problem. Examine the results, debug,

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Monday 26 of October 2009, Jesse Vincent wrote: On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jerrad Pierce wrote: A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. Now I verified his and mine RT_SID

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. And now another story that happened just few minutes ago: I was logged in as A with session_id/cookie let say sessA. When doing something in rt I

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Thursday 29 of October 2009, Jesse Vincent wrote: On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running

Re: [rt-users] 3.8.x serious security issue with mixing sessions

On Thursday 29 of October 2009, Jerrad Pierce wrote: [1] it sucks a little as it doesn't have save log capability Right click Copy all rows That doesn't copy headers data, cookies etc -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/

Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort

Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

On Friday 30 of October 2009, Jesse Vincent wrote: On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen

Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

On Monday 02 of November 2009, Jesse Vincent wrote: Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. What's the current state of browser in-memory/on-disk caching with the Cache: no-cache header? The attached patch

[rt-users] mysql sphinx

Hi, I'm going to setup full text search with mysql 5.5, sphinxse 2.1 and sphinxd 0.9.9. max_matches worries me, from docs: Take, for example, the instance where Sphinx is configured to return a maximum of three results, and tickets 1, 2, 3, 4, and 5 contain the string target,

Re: [rt-users] mysql sphinx

On Monday 29 of August 2011, Alex Vandiver wrote: Does that help to clarify the limitation? Yes, it does. Thanks. More questions follows. I see that sphinx is learning only attachments with ContentType = 'text/plain' entries which looks unfortunate since I have tons of html email. Did

Re: [rt-users] disable quote folding in 4.x

On Monday 29 of August 2011, Arkadiusz Miskiewicz wrote: Is there a way to disable quote folding in 4.x? Some my users are confused by this new feature and unintentionally ignore important information :/ (feature request is to make this a per user setting) Using this hack for now. diff -ubB

Re: [rt-users] RT Upgrade problem

On Friday 02 of September 2011, Kevin Falcone wrote: On Thu, Sep 01, 2011 at 05:32:00PM +, Derek Rumig wrote: I was running 3.8.7 and had a user using the 3.5-default. Now he cannot login with 4.0.1 and gets the error Could not find component for path