lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004301c31556$5018d000$1401a8c0@genocide>
Date: Thu, 8 May 2003 13:38:14 +0200
From: "Chris Knipe" <savage@...age.za.org>
To: <bugtraq@...urityfocus.com>
Subject: Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks


----- Original Message ----- 
From: "Jesse Vincent" <jesse@...tpractical.com>
To: <rt-announce@...k.com>
Sent: Thursday, May 08, 2003 1:14 PM
Subject: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site
Scripting attacks


>
> All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to
> a cross site scripting attack with content included in message bodies.
> If you use RT 1.0 to handle mail from unknown or possibly malicious
> users, an attacker could exploit this hole to perform actions within RT
> as any staff user who uses RT 1.0's web interface to view a malicious
> message. More information on CSS attacks is available at
> http://www.cgisecurity.com/articles/xss-faq.shtml
>
> We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't
> currently plan to release a new version of RT 1.0.x (It's been
> retired for several years now.) If an end-user provides us with a
> verifiable patch to resolve this issue, we would be delighted to publish
> it as RT 1.0.8.
>
> Information about current versions of RT is available at
> http://bestpractical.com/rt.  If, for some reason, you are unable to
> upgrade from RT 1.0.x and require commercial support, please address all
> inquiries to sales@...tpractical.com.
>
> We are grateful to Troy Davis and the Semaphore Corporation for bringing
> this issue to our attention.
>
> Best,
> Jesse Vincent
> Best Practical Solutions, LLC
>
>
>
> -- 
> http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.
> _______________________________________________
> rt-announce mailing list
> rt-announce@...ts.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-announce
> _______________________________________________
> rt-users mailing list
> rt-users@...ts.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ