In certain circumstances, a malicious (or incompetent) remote
attacker can coax an RT 3.4.6 or 3.6.3 instance into getting into a
mail loop with itself. Earlier releases may also be affected.
This vulnerability ONLY affects RT instances that have been
configured to restrict email creation of new tickets to users with
known accounts. Best Practical generally recommends that sites
configure RT somewhat more "openly," though we do support this
configuration.
The attached patch, which will be included in RT 3.6.4 and RT 3.4.7,
has resolved this issue in our testing and for the end user who
reported the issue. Community-provided help with this and other RT-
related issues is available via rt-users@lists.bestpractical.com, our
free and open RT support mailing list.
If you need professional assistance with this or any other RT-related
issue, please don't hesitate to contact us at sales@bestpractical.com.
We're indebted to Eric Jacksch of Tenebris Technologies Inc. for his
initial report of this issue and his help while we performed triage
and developed a solution.
Best,
Jesse Vincent
President
Best Practical Solutions, LLC
attacker can coax an RT 3.4.6 or 3.6.3 instance into getting into a
mail loop with itself. Earlier releases may also be affected.
This vulnerability ONLY affects RT instances that have been
configured to restrict email creation of new tickets to users with
known accounts. Best Practical generally recommends that sites
configure RT somewhat more "openly," though we do support this
configuration.
The attached patch, which will be included in RT 3.6.4 and RT 3.4.7,
has resolved this issue in our testing and for the end user who
reported the issue. Community-provided help with this and other RT-
related issues is available via rt-users@lists.bestpractical.com, our
free and open RT support mailing list.
If you need professional assistance with this or any other RT-related
issue, please don't hesitate to contact us at sales@bestpractical.com.
We're indebted to Eric Jacksch of Tenebris Technologies Inc. for his
initial report of this issue and his help while we performed triage
and developed a solution.
Best,
Jesse Vincent
President
Best Practical Solutions, LLC
Attached Files:
-
rt-3.4-and-3.6-mail-loop-fix.patch (1.54 KB)
-
PGP.sig (0.18 KB)