Re: [rt-users] 3.8.x serious security issue with mixing sessions
I just found this thread about Mixed sessions. We are experiencing the same problem with RT 3.8.7, sitting behind an Apache based proxy + load balancer. The backend is a MySQL cluster but that should not have an impact on the user sessions. We have two instances of RT connected to the same backend. In other words, the front ends connect (load balance) to two RTs. These RTs connect to the same Cluster. Could the apache load balancer be the issue? Suggestions? Thierry
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
This patch doesn't solve the issue. People still get mixed sessions (test was done after deleting all sessions from sessions table and restarting apache). Hang on. is mod_cache caching more than the files marked static, never changes? Since this patch should stop RT from putting cookie headers on any static content (and a fair bit more taht we can get away without them on) -j diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ -- ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. What's the current state of browser in-memory/on-disk caching with the Cache: no-cache header? The attached patch against 3.8.6 might be the right solution for you. I'd consider making this change to RT if you can report back and tell me if it does the right thing for you: diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Monday 02 of November 2009, Jesse Vincent wrote: Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. What's the current state of browser in-memory/on-disk caching with the Cache: no-cache header? The attached patch against 3.8.6 might be the right solution for you. I'd consider making this change to RT if you can report back and tell me if it does the right thing for you: This patch doesn't solve the issue. People still get mixed sessions (test was done after deleting all sessions from sessions table and restarting apache). diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index b82b638..dccf829 100755 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage { return unless $m-base_comp-path =~ RT-Config-Get('WebNoAuthRegex'); # If it's a noauth file, don't ask for auth. -SendSessionCookie(); $m-comp( { base_comp = $m-request_comp }, $m-fetch_next, %$ARGS ); $m-abort; } -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 30 of October 2009, Jesse Vincent wrote: On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? Well, what does mod_cache need to know not to cache requests? Cache: no-cache but that will prevent caching at all. Seem to be no way to prevent caching cookies from application side. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? ps. issues.apache.org is full of weird mod_cache related things -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jesse Vincent wrote: I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. There is no proxy but apache serving rt had mod_cache module installed which turns out to be caching cookies! Nightmare to track. Uninstalled and so far everything is working nicely. Now the question is can anything be done on rt level to prevent mod_cache from cacheing such stuff and actually creating security issues? Well, what does mod_cache need to know not to cache requests? ps. issues.apache.org is full of weird mod_cache related things -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ -- ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Monday 26 of October 2009, Jesse Vincent wrote: On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jerrad Pierce wrote: A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too. You can simply tell it to start tracking as you use RT, and stop it once you encounter the problem. Examine the results, debug, and or sanitize and share. Everyone experiencing the problem doesn't have to install the add-on, just someone who has the issue. Can I log session id here somehow? lib/RT/Interface/Web.pm: $RT::Logger-info(Successful login for @{[$ARGS-{user}]} from $ENV{'REMOTE_ADDR'}); There are two bits you want to log: * $session{_session_id} * the session cookie the user sent: in 3.8.6, look at LoadSessionFromCookie So far it's like this: - user logged as A - suddently he becomes user B - he logged off and on as A again httpfox shows three session ids but I found only last one in sessions table and it was user A session. Logging out should be clearing that B session, so that bit isn't too surprising.. Still trying to gather more info. What's the correct place for logging information about which session has been logged out (forced) or logged out via web interface? Added this to _ForceLogout but it seems to be wrong since it logs some very different session_ids... sub _ForceLogout { my $sid = $HTML::Mason::Commands::session{'_session_id'}; $RT::Logger-info(_ForceLogout session id $sid); Jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. Now I verified his and mine RT_SID cookie and... I have his cookie aka we both use the same cookie. I log session_id in rt.log at login, so I also checked that and had login for user B with that cookie logged in rt.log 20 minutes ago. sessions table in mysql contained that session_id of course. My initial cookie that I logged in as user A was also there in sessions table. So at the end I and user B we both have active sessions as user B with the same cookie. I even did few steps through rt on both computers to see if session_id will change but no - we are still logged in and still use the same session_id/cookie. (feature request: what I miss now is to make session contain IP address information for better security - so that session would work only from that one IP) -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. I really need to see protocol-level HTTP logs for both of these sessions. I need to see when/if RT handed you his cookie. Now I verified his and mine RT_SID cookie and... I have his cookie aka we both use the same cookie. I log session_id in rt.log at login, so I also checked that and had login for user B with that cookie logged in rt.log 20 minutes ago. sessions table in mysql contained that session_id of course. My initial cookie that I logged in as user A was also there in sessions table. So at the end I and user B we both have active sessions as user B with the same cookie. I even did few steps through rt on both computers to see if session_id will change but no - we are still logged in and still use the same session_id/cookie. (feature request: what I miss now is to make session contain IP address information for better security - so that session would work only from that one IP) As an optional feature, I'd love a patch. But it has to default to off. Too many organizations have an array of outgoing proxy IP addresses. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ -- ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. And now another story that happened just few minutes ago: I was logged in as A with session_id/cookie let say sessA. When doing something in rt I suddenly got login screen, huh! Checked sessions table - sessA was still there. So I changed cookie preferences in opera and set RT_SID cookie back to sessA, page refresh and... I'm as A, no need to log in! Which looks like my session (sessA) was still alive and working on rt side but somehow rt passed different session id/cookie to opera and opera used it which in the end caused login screen to appear. -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Jesse Vincent wrote: On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer. I really need to see protocol-level HTTP logs for both of these sessions. I need to see when/if RT handed you his cookie. One firefox user here has httpfox [1] running but so far he didn't have any problem for last 2 days :-( Our rt is running over ssl, so sniffing at wire level also not possible (or at least I don't know any working linux sniffer that could to that provided I have key/cert) Trying to get that. [1] it sucks a little as it doesn't have save log capability -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thu, Oct 29, 2009 at 03:30:49PM +0100, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. And now another story that happened just few minutes ago: I was logged in as A with session_id/cookie let say sessA. When doing something in rt I suddenly got login screen, huh! Checked sessions table - sessA was still there. So I changed cookie preferences in opera and set RT_SID cookie back to sessA, page refresh and... I'm as A, no need to log in! Which looks like my session (sessA) was still alive and working on rt side but somehow rt passed different session id/cookie to opera and opera used it which in the end caused login screen to appear. somehow is what we need to get to the bottom of. To do that, I need the HTTP logs including all headers from your client. I need to see RT serving you that cookie and to see the request it was on and what else was in that request. This is fairly far into should not be possible and I need a bit more of a view into what bit of infrastructure is causing it. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
[1] it sucks a little as it doesn't have save log capability Right click Copy all rows ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Thursday 29 of October 2009, Jerrad Pierce wrote: [1] it sucks a little as it doesn't have save log capability Right click Copy all rows That doesn't copy headers data, cookies etc -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jerrad Pierce wrote: A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too. You can simply tell it to start tracking as you use RT, and stop it once you encounter the problem. Examine the results, debug, and or sanitize and share. Everyone experiencing the problem doesn't have to install the add-on, just someone who has the issue. Can I log session id here somehow? lib/RT/Interface/Web.pm: $RT::Logger-info(Successful login for @{[$ARGS-{user}]} from $ENV{'REMOTE_ADDR'}); So far it's like this: - user logged as A - suddently he becomes user B - he logged off and on as A again httpfox shows three session ids but I found only last one in sessions table and it was user A session. User B was logged in on it's own computer at that time but with totally different session id than three above (so I assume user A become user B with some old session of user B). Will try to get more information... -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote: On Friday 23 of October 2009, Jerrad Pierce wrote: A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too. You can simply tell it to start tracking as you use RT, and stop it once you encounter the problem. Examine the results, debug, and or sanitize and share. Everyone experiencing the problem doesn't have to install the add-on, just someone who has the issue. Can I log session id here somehow? lib/RT/Interface/Web.pm: $RT::Logger-info(Successful login for @{[$ARGS-{user}]} from $ENV{'REMOTE_ADDR'}); There are two bits you want to log: * $session{_session_id} * the session cookie the user sent: in 3.8.6, look at LoadSessionFromCookie So far it's like this: - user logged as A - suddently he becomes user B - he logged off and on as A again httpfox shows three session ids but I found only last one in sessions table and it was user A session. Logging out should be clearing that B session, so that bit isn't too surprising.. User B was logged in on it's own computer at that time but with totally different session id than three above (so I assume user A become user B with some old session of user B). *nod* Has _anybody_ else been seeing this? With 3.8.6 or any other version of RT? Jesse ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
Hi, On Mon, Oct 26, 2009 at 14:58, Jesse Vincent je...@bestpractical.com wrote: User B was logged in on it's own computer at that time but with totally different session id than three above (so I assume user A become user B with some old session of user B). *nod* Has _anybody_ else been seeing this? With 3.8.6 or any other version of RT? I saw this issue a few times on RT 3.8.2 . However it doesn't happen often, and I can't think of a way to catch it. I believe, the issue appeared after we upgraded from 3.6.5 . -- Leonid Mamchenkov ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] 3.8.x serious security issue with mixing sessions
I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case Successful login for .. isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. Happens with different browsers, firefox, opera. Any ideas on how to debug it? perl packages are in fresh versions: apache-mod_perl-2.0.4-3.i686 openssl-tools-perl-0.9.8k-2.i686 perl-AI-DecisionTree-0.08-2.i686 perl-AnyData-0.10-4.noarch perl-Apache-DBI-1.06-1.noarch perl-Apache-Scoreboard-2.08-7.i686 perl-Apache-Session-1.88-1.noarch perl-Apache-Session-Wrapper-0.33-1.noarch perl-Apache-VMonitor-2.06-1.noarch perl-AppConfig-1.66-1.noarch perl-Authen-SASL-2.13-1.noarch perl-base-5.10.1-2.i686 perl-Bit-Vector-7.1-1.i686 perl-BSD-Resource-1.2901-2.i686 perl-Cache-DB_File-0.2-7.noarch perl-Cache-Simple-TimedExpiry-0.27-1.noarch perl-Calendar-Simple-1.19-1.noarch perl-Carp-Assert-0.20-2.noarch perl-Carp-Assert-More-1.12-3.noarch perl-Carp-Clan-6.00-1.noarch perl-CGI-3.48-1.noarch perl-CGI-LogCarp-1.12-10.noarch perl-CGI-SpeedyCGI-2.22-15.i686 perl-Chart-PNGgraph-1.21-7.noarch perl-Class-Accessor-0.34-1.noarch perl-Class-Accessor-Chained-0.01-2.noarch perl-Class-Container-0.12-2.noarch perl-Class-Data-Inheritable-0.08-1.noarch perl-Class-Inspector-1.24-1.noarch perl-Class-MakeMethods-1.01-2.noarch perl-Class-MethodMaker-2.11-2.i686 perl-Class-MixinFactory-0.92-2.noarch perl-Class-ReturnValue-0.55-1.noarch perl-Class-Singleton-1.4-1.noarch perl-Clone-0.31-1.i686 perl-Config-Tiny-2.12-2.noarch perl-Convert-ASN1-0.21-2.noarch perl-Convert-Recode-1.04-2.noarch perl-CSS-Squish-0.07-1.noarch perl-Curses-1.26-2.i686 perl-Curses-Forms-1.997-1.noarch perl-Curses-Widgets-1.997-5.noarch perl-Data-Flow-0.09-3.noarch perl-Data-ICal-0.13-5.noarch perl-Data-Library-0.1-1.noarch perl-Date-Calc-6.0-1.i686 perl-DateTime-0.50-1.i686 perl-DateTime-Event-ICal-0.09-2.noarch perl-DateTime-Event-Recurrence-0.16-4.noarch perl-DateTime-Format-ICal-0.09-1.noarch perl-DateTime-Format-Mail-0.3001-1.noarch perl-DateTime-Format-Strptime-1.0701-1.noarch perl-DateTime-Format-W3CDTF-0.04-1.noarch perl-DateTime-Locale-0.44-1.noarch perl-DateTime-Set-0.25-3.noarch perl-DateTime-TimeZone-0.72-1.noarch perl-DBD-AnyData-0.09-1.noarch perl-DBD-Chart-0.82-2.noarch perl-DBD-CSV-0.22-3.noarch perl-DBD-LDAP-0.10-1.i686 perl-DBD-mysql-4.013-1.i686 perl-DBD-ODBC-1.23-1.i686 perl-DBD-Pg-2.15.1-3.i686 perl-DBD-SQLite-1.25-1.i686 perl-DBD-Sybase-1.09-2.i686 perl-DBD-XBase-0.241-3.noarch perl-DB_File-1.820-2.i686 perl-DBI-1.608-1.i686 perl-DBI-ProfileDumper-Apache-1.608-1.i686 perl-DBIx-Abstract-1.006-2.noarch perl-DBIx-AbstractLite-0.02-5.noarch perl-DBIx-AnyDBD-2.01-4.noarch perl-DBIx-BLOB-Handle-0.2-6.noarch perl-DBIx-CGI-0.06-9.noarch perl-DBIx-ContextualFetch-1.03-2.noarch perl-DBIx-Copy-0.02-5.noarch perl-DBIx-Cursor-0.14-4.noarch perl-DBIx-DataLookup-0.03-5.noarch perl-DBIx-DataSource-0.02-5.noarch perl-DBIx-DBSchema-0.36-1.noarch perl-DBIx-Easy-1.40-2.noarch perl-DBIx-FetchLoop-0.41-1.noarch perl-DBIx-HTMLView-0.9-7.noarch perl-DBIx-Librarian-0.6-2.noarch perl-DBIx-Recordset-0.26-2.noarch perl-DBIx-SearchBuilder-1.56-1.noarch perl-DBIx-SQLEngine-0.93-3.noarch perl-DBIx-Table-0.04-5.noarch perl-DBIx-TableHash-1.04-4.noarch perl-DBIx-TextIndex-0.27-2.i686 perl-DBIx-XML_RDB-0.05-8.noarch perl-devel-5.10.1-2.i686 perl-Devel-StackTrace-1.22-1.noarch perl-Devel-Symdump-2.0602-2.noarch perl-Digest-HMAC-1.01-12.noarch
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote: I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case Successful login for .. isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? -jesse ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jesse Vincent wrote: On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote: I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. For example I'm user A and after clicking to view some ticket I become user B. Or I'm logged in into user A but suddently I get monit about need to log in and after loging in with user A data I'm becoming user C (in this case Successful login for .. isn't logged into logs). Tried using default settings (session keept in mysql) but also Apache::Session::File. Problem happens in both cases. I'm using mod_perl to run rt. I don't think I've ever seen this wtih RT, but I have seen it with other applications - the cause is _usually_ an HTTP proxy that's caching RT's pages. Do you have any sort of HTTP proxy between your browsers and your server? No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. -jesse -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. * Can you capture the cookies on User A, User B, and User C's systems for each HTTP hit to see if 1) they change and 2) they are the same? A tool like the firefox developer toolbar is an easy way to do this. * Did this also happen with 3.8.5? There's a change to session handling in 3.8.6. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
On Friday 23 of October 2009, Jesse Vincent wrote: No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. * Can you capture the cookies on User A, User B, and User C's systems for each HTTP hit to see if 1) they change and 2) they are the same? A tool like the firefox developer toolbar is an easy way to do this. That will be hard to do but will try to get some info (in reality it happens here for different users which I don't control but it also happened for me and my coworker). * Did this also happen with 3.8.5? I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6. Maybe other too, don't remember versions. Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik) but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl* packages were updated, too. Now why it was gone for some time it's unknown thing. There's a change to session handling in 3.8.6. Which git commit is that? -- Arkadiusz MiśkiewiczPLD/Linux Team arekm / maven.plhttp://ftp.pld-linux.org/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
A tool like the firefox developer toolbar is an easy way to do this. HTTPFox might be a good solution too. You can simply tell it to start tracking as you use RT, and stop it once you encounter the problem. Examine the results, debug, and or sanitize and share. Everyone experiencing the problem doesn't have to install the add-on, just someone who has the issue. -- Cambridge Energy Alliance: Save money. Save the planet. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz wrote: I have a very serious security problem with 3.8 installation (3.8.6 currently). Logged User sessions are being mixed up. One logged user is becoming another logged user as seen by rt. It happens in different moments. Are you using HTTP authentication or RT's built-in login page? If the former, it's likely a leaky apache process, squid or auth_cache problem (not RT); if the latter, then most likely a caching issue or possibly RT bug. -- Matthew Keller Information Security Officer Computing Technology Services State University of New York @ Potsdam Potsdam, NY, USA ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.8.x serious security issue with mixing sessions
I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6. Maybe other too, don't remember versions. Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik) but it's back after I upgraded to 3.8.6. I also upgraded system, so some perl* packages were updated, too. Now why it was gone for some time it's unknown thing. There's a change to session handling in 3.8.6. Which git commit is that? Far more than a single commit. We significantly overhauled all the logic that used to be in the autohandler. But, if this is something you've seen before and not a new issue, I'd not point the finger at the refactoring just yet. Once you are logged in and see RT's home screen, does _your_ session change as you refresh and become someone else? How many RT instances do you have in this one apache? Which of the apache multiprocess models are you using? Maybe there's something weird going on with multithreading... If you switch to fastcgi does this go away? Are you using apache authentication with RT? Can you send the contents of the Configuration-Global-Tools-System Configuration page? Have you made any local changes? ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com