Bugtraq mailing list archives
Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks
From: "Chris Knipe" <savage () savage za org>
Date: Thu, 8 May 2003 13:38:14 +0200
----- Original Message ----- From: "Jesse Vincent" <jesse () bestpractical com> To: <rt-announce () fsck com> Sent: Thursday, May 08, 2003 1:14 PM Subject: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks
All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to a cross site scripting attack with content included in message bodies. If you use RT 1.0 to handle mail from unknown or possibly malicious users, an attacker could exploit this hole to perform actions within RT as any staff user who uses RT 1.0's web interface to view a malicious message. More information on CSS attacks is available at http://www.cgisecurity.com/articles/xss-faq.shtml We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't currently plan to release a new version of RT 1.0.x (It's been retired for several years now.) If an end-user provides us with a verifiable patch to resolve this issue, we would be delighted to publish it as RT 1.0.8. Information about current versions of RT is available at http://bestpractical.com/rt. If, for some reason, you are unable to upgrade from RT 1.0.x and require commercial support, please address all inquiries to sales () bestpractical com. We are grateful to Troy Davis and the Semaphore Corporation for bringing this issue to our attention. Best, Jesse Vincent Best Practical Solutions, LLC -- http://www.bestpractical.com/rt -- Trouble Ticketing. Free. _______________________________________________ rt-announce mailing list rt-announce () lists fsck com http://lists.fsck.com/mailman/listinfo/rt-announce _______________________________________________ rt-users mailing list rt-users () lists fsck com http://lists.fsck.com/mailman/listinfo/rt-users Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
Current thread:
- Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks Chris Knipe (May 08)