Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks

["Chris Knipe" <savage () savage za org>]

----- Original Message ----- 
From: "Jesse Vincent" <jesse () bestpractical com>
To: <rt-announce () fsck com>
Sent: Thursday, May 08, 2003 1:14 PM
Subject: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site
Scripting attacks


> All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to
> a cross site scripting attack with content included in message bodies.
> If you use RT 1.0 to handle mail from unknown or possibly malicious
> users, an attacker could exploit this hole to perform actions within RT
> as any staff user who uses RT 1.0's web interface to view a malicious
> message. More information on CSS attacks is available at
> http://www.cgisecurity.com/articles/xss-faq.shtml
>
> We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't
> currently plan to release a new version of RT 1.0.x (It's been
> retired for several years now.) If an end-user provides us with a
> verifiable patch to resolve this issue, we would be delighted to publish
> it as RT 1.0.8.
>
> Information about current versions of RT is available at
> http://bestpractical.com/rt.  If, for some reason, you are unable to
> upgrade from RT 1.0.x and require commercial support, please address all
> inquiries to sales () bestpractical com.
>
> We are grateful to Troy Davis and the Semaphore Corporation for bringing
> this issue to our attention.
>
> Best,
> Jesse Vincent
> Best Practical Solutions, LLC
>
>
>
> -- 
> http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.
> _______________________________________________
> rt-announce mailing list
> rt-announce () lists fsck com
> http://lists.fsck.com/mailman/listinfo/rt-announce
> _______________________________________________
> rt-users mailing list
> rt-users () lists fsck com
> http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm