Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285298 (CVE-2009-3585) - <www-apps/rt-3.8.10: XSS (CVE-2009-{3585,4151})
Summary: <www-apps/rt-3.8.10: XSS (CVE-2009-{3585,4151})
Status: RESOLVED FIXED
Alias: CVE-2009-3585
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/36752/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-17 10:55 UTC by Alex Legler (RETIRED)
Modified: 2011-10-02 21:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-17 10:55:30 UTC
From Secunia:
A vulnerability has been reported in RT, which can be exploited by malicious people to conduct script insertion attacks.

Certain input displayed via custom fields is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation requires "ModifyCustomField" permissions or that e.g. malicious people can set custom field values via automated parsing scripts or the Web UI.

The vulnerability is reported in versions 3.4.6 to 3.8.4.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 09:17:03 UTC
CVE-2009-3585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3585):
  Session fixation vulnerability in html/Elements/SetupSessionCookie in
  Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
  3.8.5 allows remote attackers to hijack web sessions by setting the
  session identifier via a manipulation that leverages a second web
  server within the same domain.

CVE-2009-4151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4151):
  Session fixation vulnerability in html/Elements/SetupSessionCookie in
  Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
  3.8.5 allows remote attackers to hijack web sessions by setting the
  session identifier via a manipulation that leverages "HTTP access to
  the RT server," a related issue to CVE-2009-3585.

Comment 2 Eric Martin 2011-09-08 19:50:53 UTC
I am currently working on bumping rt from 3.6.7 -> 3.8.10 and finally 4.0.2. 
3.8.10 resolves all of these issues, and work is being done in bug #235914.  I
have posted a diff for 3.8.10 and I'm waiting for my proxy maintainer to sign
off on it.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-10-02 18:10:31 UTC
rt-3.8.10 is in tree. No stable version => this bug is fixed.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 21:42:55 UTC
Thanks, folks. Closing noglsa.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 21:44:19 UTC
Alright, really closing.