-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all,
would it be possible to see an example of the logs produced by RT subjected to the session fixation vulnerability? I have a very bizarre event in the RT I manage which took place approximately 2 hrs after the security alert went out to the lists and I cannot explain away. It looks like this (RT 3.0.12): 192.168.X.Y - - [01/Dec/2009:18:21:56 +0000] "GET /rt/NoAuth/webrt.css HTTP/1.1" 200 6944 192.168.X.Y - - [01/Dec/2009:18:21:58 +0000] "GET /rt/Ticket/ Display.html?id=41114 HTTP/1.1" 200 56794 192.168.X.Y - - [01/Dec/2009:18:22:05 +0000] "GET /rt/NoAuth/webrt.css HTTP/1.1" 200 6944 192.168.X.Y - - [01/Dec/2009:18:22:06 +0000] "GET /rt/Ticket/ Update.html?id=41114&QuoteTransaction=293515&Action=Respond HTTP/1.1" 200 14338 192.168.X.Y - - [01/Dec/2009:18:24:21 +0000] "GET /rt/NoAuth/webrt.css HTTP/1.1" 200 6944 192.168.X.Y - - [01/Dec/2009:18:24:23 +0000] "POST /rt/Ticket/ Update.html HTTP/1.1" 200 23431 which correlates with: [Tue Dec 1 18:24:20 2009] [crit]: RT::Attachment->Create couldn't, as you didn' t specify a transaction (/usr/share/request-tracker3/lib/RT/ Attachment_Overlay.pm:117) [Tue Dec 1 18:24:20 2009] [crit]: Trying to check RT::Ticket rights for an unspecified RT::Ticket (/usr/share/request-tracker3/lib/RT/ Principal_Overlay.pm:355) [Tue Dec 1 18:24:20 2009] [err]: RT::Ticket=HASH(0xa0726b8) couldn't init a transaction Transaction Created (/usr/share/request-tracker3/ lib/RT/Ticket_Overlay.pm:2334) I've trawled through the past year of logs and we've never seen these errors before. The database log shows no transaction for the same time period (note hole between 16:24:55 GMT and 09:24:03 GMT): - -[ RECORD 18 ]-- +--------------------------------------------------------- id | 293515 effectiveticket | 0 ticket | 41114 timetaken | 30 type | Correspond field | oldvalue | newvalue | data | No Subject creator | 72707 created | 2009-12-01 16:24:55 - -[ RECORD 19 ]-- +--------------------------------------------------------- id | 293626 effectiveticket | 0 ticket | 41114 timetaken | 0 type | Comment field | oldvalue | newvalue | data | No Subject creator | 72707 created | 2009-12-02 09:24:03 and we did have an outbound e-mail sent by RT: Dec 1 18:24:20 glan postfix/pickup[14782]: 81A8DC5A6C: uid=33 from=<www-data> Dec 1 18:24:20 glan postfix/cleanup[18057]: 81A8DC5A6C: message-id=<[email protected]> Dec 1 18:24:20 glan postfix/qmgr[19235]: 81A8DC5A6C: from=<[email protected]>, size=925, nrcpt=10 (queue active) Dec 1 18:24:20 glan postfix/pickup[14782]: BEF8CC5A6F: uid=33 from=<www-data> Dec 1 18:24:20 glan postfix/cleanup[18057]: BEF8CC5A6F: message-id=<[email protected]> Dec 1 18:24:20 glan postfix/qmgr[19235]: BEF8CC5A6F: from=<[email protected]>, size=838, nrcpt=1 (queue active) Dec 1 18:24:21 glan postfix/smtp[18062]: BEF8CC5A6F: to=<[email protected]>, relay=mailrelay.net.X.com[192.168.160.3], delay=1, status=sent (250 2.0.0 nB1IOK1r004792 Message accepte Wed for delivery) Dec 1 18:24:21 glan postfix/qmgr[19235]: BEF8CC5A6F: removed Dec 1 18:24:25 glan postfix/smtp[18059]: 81A8DC5A6C: to=<[email protected]>, relay=mailrelay.net.X.com[192.168.160.2], delay=5, status=sent (250 2.0.0 nB1IOKOH031556 Message accepted for delivery) [all other ticket watchers follow] Dec 1 18:24:25 glan postfix/qmgr[19235]: 81A8DC5A6C: removed and the message looks like this: - --- 8< cut here 8< --- Received: by glan.net.X.com (Postfix, from userid 33) id 81A8DC5A6C; Tue, 1 Dec 2009 18:24:20 +0000 (GMT) MIME-Version: 1.0 In-Reply-To: <rt-41...@x> X-Mailer: Perl5 Mail::Internet v1.62 Content-Type: text/plain; charset="utf-8" Reply-To: [email protected] X-RT-Original-Encoding: utf-8 RT-Originator: Managed-BY: RT 3.0.12 (http://www.bestpractical.com/rt/) Subject: [X #41114] Downloading contact list Sender: "www-data" <[email protected]> RT-Ticket: X #41114 Message-Id: <[email protected]> Precedence: bulk X-RT-Loop-Prevention: X To: "AdminCc of X Ticket #41114": ; Content-Transfer-Encoding: 8bit From: " via RT" <[email protected]> Date: Tue, 1 Dec 2009 18:24:20 +0000 (GMT) <URL: http://rt.X.com/rt/Ticket/Display.html?id=41114 > This transaction appears to have no content - --- 8< cut here 8< --- Any suggestions gratefully received... Arrigo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAksWSZ8ACgkQDbQ6TQLMoL+JfACfdJyZxwtAqskd0lmzDnKHNFpz VfQAni4tghvjNyqS2AafozUorVtfS4cl =VPC+ -----END PGP SIGNATURE----- _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
