Internal audits of the RT codebase have uncovered a
number of security vulnerabilities in RT. We are releasing
versions 3.8.12 and 4.0.6 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.
The vulnerabilities addressed by 3.8.12, 4.0.6, and the
below patches include the following:
The previously released tool to upgrade weak password
hashes as part of CVE-2011-0009 was an incomplete fix and
failed to upgrade passwords of disabled users.
RT versions 3.0 and above contain a number of cross-site
scripting (XSS) vulnerabilities which allow an attacker to
run JavaScript with the user's credentials. CVE-2011-2083 is
assigned to this vulnerability.
RT versions 3.0 and above are vulnerable to multiple
information disclosure vulnerabilities. This includes the
ability for privileged users to expose users' previous
password hashes -- this vulnerability is particularly
dangerous given RT's weak hashing previous to the fix in
CVE-2011-0009. A separate vulnerability allows privileged
users to obtain correspondence history for any ticket in
RT. CVE-2011-2084 is assigned to this vulnerability.
All publicly released versions of RT are vulnerable to
cross-site request forgery (CSRF). CVE-2011-2085 is assigned
to this vulnerability.
We have also added a separate configuration option
($RestrictLoginReferrer) to prevent login CSRF, a different
class of CSRF attack.
RT versions 3.6.1 and above are vulnerable to a remote
execution of code vulnerability if the optional VERP
configuration options ($VERPPrefix and $VERPDomain) are
enabled. RT 3.8.0 and higher are vulnerable to a limited
remote execution of code which can be leveraged for
privilege escalation. RT 4.0.0 and above contain a
vulnerability in the global $DisallowExecuteCode option,
allowing sufficiently privileged users to still execute code
even if RT was configured to not allow it. CVE-2011-4458 is
assigned to this set of vulnerabilities.
RT versions 3.0 and above may, under some circumstances,
still respect rights that a user only has by way of a
currently-disabled group. CVE-2011-4459 is assigned to this
vulnerability.
RT versions 2.0 and above are vulnerable to a SQL
injection attack, which allow privileged users to obtain
arbitrary information from the database. CVE-2011-4460 is
assigned to this vulnerability.