On Mon, 2006-11-06 at 11:35 -0500, Jesse Vincent wrote: > > It's worth noting that this patch opens up a potentially dangerous hole. > A malicious user could easily make themselves CC of ...all your tickets. > In some organizations, this may not matter. But it's a showstopper here > ;) > > Best, > Jesse
Hi Jesse, I suppose this is true, but we are using RT as our support center and need to allow anyone to be able to create and see most of our tickets anyway, so this doesn't really open up our RT system anymore than it already is. For us, this only applies to email access since web access is only granted through a manual approval processes. Also, this malicious user can only add themselves by emailing a followup to a ticket, which would be seen by all of the other watchers of the queue, so if we are paying attention to the correspondences we should easily catch any malicious users. This is also a good reason for making it an option like ParseNewMessageForTicketCcs is, defaulting to off and maybe with an appropriate warning about the security implications. Thanks, ~Jason PS. I added your comments about the potential security risks to the wiki page as a warning, I hope you don't mind. -- /------------------------------------------------------------------\ | Jason A. Smith Email: [EMAIL PROTECTED] | | Atlas Computing Facility, Bldg. 510M Phone: +1-631-344-4226 | | Brookhaven National Lab, P.O. Box 5000 Fax: +1-631-344-7616 | | Upton, NY 11973-5000, U.S.A. | \------------------------------------------------------------------/ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
