Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 285298 (CVE-2009-3585)

Summary: <www-apps/rt-3.8.10: XSS (CVE-2009-{3585,4151})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: bug, eric.joshua.martin, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/36752/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-17 10:55:30 UTC
From Secunia:
A vulnerability has been reported in RT, which can be exploited by malicious people to conduct script insertion attacks.

Certain input displayed via custom fields is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation requires "ModifyCustomField" permissions or that e.g. malicious people can set custom field values via automated parsing scripts or the Web UI.

The vulnerability is reported in versions 3.4.6 to 3.8.4.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 09:17:03 UTC
CVE-2009-3585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3585):
  Session fixation vulnerability in html/Elements/SetupSessionCookie in
  Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
  3.8.5 allows remote attackers to hijack web sessions by setting the
  session identifier via a manipulation that leverages a second web
  server within the same domain.

CVE-2009-4151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4151):
  Session fixation vulnerability in html/Elements/SetupSessionCookie in
  Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
  3.8.5 allows remote attackers to hijack web sessions by setting the
  session identifier via a manipulation that leverages "HTTP access to
  the RT server," a related issue to CVE-2009-3585.

Comment 2 Eric Martin 2011-09-08 19:50:53 UTC
I am currently working on bumping rt from 3.6.7 -> 3.8.10 and finally 4.0.2. 
3.8.10 resolves all of these issues, and work is being done in bug #235914.  I
have posted a diff for 3.8.10 and I'm waiting for my proxy maintainer to sign
off on it.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-10-02 18:10:31 UTC
rt-3.8.10 is in tree. No stable version => this bug is fixed.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 21:42:55 UTC
Thanks, folks. Closing noglsa.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 21:44:19 UTC
Alright, really closing.