100761 2003-05-08 18:01 /51 rader/ Chris Knipe <savage@savage.za.org> Importerad: 2003-05-08 18:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: savage@savage.za.org Mottagare: Bugtraq (import) <4819> Ärende: Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks ------------------------------------------------------------ ----- Original Message ----- From: "Jesse Vincent" <jesse@bestpractical.com> To: <rt-announce@fsck.com> Sent: Thursday, May 08, 2003 1:14 PM Subject: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks > > All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to > a cross site scripting attack with content included in message bodies. > If you use RT 1.0 to handle mail from unknown or possibly malicious > users, an attacker could exploit this hole to perform actions within RT > as any staff user who uses RT 1.0's web interface to view a malicious > message. More information on CSS attacks is available at > http://www.cgisecurity.com/articles/xss-faq.shtml > > We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't > currently plan to release a new version of RT 1.0.x (It's been > retired for several years now.) If an end-user provides us with a > verifiable patch to resolve this issue, we would be delighted to publish > it as RT 1.0.8. > > Information about current versions of RT is available at > http://bestpractical.com/rt. If, for some reason, you are unable to > upgrade from RT 1.0.x and require commercial support, please address all > inquiries to sales@bestpractical.com. > > We are grateful to Troy Davis and the Semaphore Corporation for bringing > this issue to our attention. > > Best, > Jesse Vincent > Best Practical Solutions, LLC > > > > -- > http://www.bestpractical.com/rt -- Trouble Ticketing. Free. > _______________________________________________ > rt-announce mailing list > rt-announce@lists.fsck.com > http://lists.fsck.com/mailman/listinfo/rt-announce > _______________________________________________ > rt-users mailing list > rt-users@lists.fsck.com > http://lists.fsck.com/mailman/listinfo/rt-users > > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm (100761) /Chris Knipe <savage@savage.za.org>/-------