Bug 844454 - (CVE-2012-2770) CVE-2012-2770 RT::Authen::ExternalAuth: RSS feed URL session hijacking
CVE-2012-2770 RT::Authen::ExternalAuth: RSS feed URL session hijacking
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120725,repor...
: Security
Depends On: 844456 844457
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-30 13:36 EDT by Kurt Seifried
Modified: 2012-12-11 04:16 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-11 04:16:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-07-30 13:36:13 EDT
Best Practical reports:

We have determined a number of security vulnerabilities in commonly installed RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.

We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.

RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.

References:
http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html
http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch
Comment 1 Kurt Seifried 2012-07-30 13:42:02 EDT
Created perl-RT-Authen-ExternalAuth tracking bugs for this issue

Affects: fedora-all [bug 844456]
Comment 2 Kurt Seifried 2012-07-30 13:42:47 EDT
Created perl-RT-Authen-ExternalAuth tracking bugs for this issue

Affects: epel-6 [bug 844457]
Comment 3 Fedora Update System 2012-10-12 15:55:06 EDT
perl-RT-Authen-ExternalAuth-0.08-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Kurt Seifried 2012-12-11 04:16:07 EST
perl-RT-Authen-ExternalAuth-0.11-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Kurt Seifried 2012-12-11 04:16:23 EST
perl-RT-Authen-ExternalAuth-0.11-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.