This release of RT-3.6.9 contains an important security fix. You can download it from:
http://download.bestpractical.com/pub/rt/release/rt-3.6.9.tar.gz http://download.bestpractical.com/pub/rt/release/rt-3.6.9.tar.gz.sig SHA1 checksums eaaa3d6d9b9e955ba7c4dc0c9b4eca3d02ad6fef rt-3.6.9.tar.gz d710bd2d8fa4eec4b1ed0c1519eb762dd5078a0a rt-3.6.9.tar.gz.sig During a routine internal audit, it was determined that all versions of RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display of Custom Fields that could allow injection of javascript into the RT UI. This bug is only exploitable if you have a Custom Field that accepts data from an end user (such as Enter one Value, or Fill in one text area). It does not affect 'select one value' fields. In addition, you must allow malicious users to set these custom fields, either through the Web UI (SelfService) or through an automated parsing script such as RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a local parsing modification. If you do not allow external users to set Custom Field values and the only users who have ModifyCustomField are your Privileged users, then the impact of this is limited to one of your trusted users attacking the system. I have attached patches for the 3.6 branch of RT in case you do not wish to upgrade at this time. We will be releasing 3.8.5 shortly and that release will also contain the bugfix, as well as patches for 3.4 and 3.8 You can this patch as follows: RT 3.6 cd /opt/rt3/share patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch You should then clear your mason cache # rm -rf /opt/rt3/var/mason_data/obj/* and restart your webserver, this is often accomplished with # /etc/init.d/httpd restart or # /etc/init.d/apache restart
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 9fc74fd..cf6127e 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -90,7 +90,7 @@ my $print_value = sub {
if ( $m->comp_exists( $comp ) ) {
$m->comp( $comp, Object => $value );
} else {
- $m->print( $value->Content );
+ $m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
}
$m->out('</a>') if $linked;
pgp26BAeUPhvN.pgp
Description: PGP signature
_______________________________________________ RT-Announce mailing list [email protected] http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
