Request Tracker 3.8.x < 3.8.17 / 4.x < 4.0.13 Multiple Vulnerabilities

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote web server is running a Perl application that is affected
by multiple vulnerabilities.

Description :

According to its self-reported version number, the Best Practical
Solutions Request Tracker (RT) running on the remote web server is
version 3.8.x prior to 3.8.17 or version 4.x prior to 4.0.13. It is,
therefore, potentially affected by the following vulnerabilities :

- A flaw exists that allows a remote, authenticated
attacker with 'ModifyTicket' privileges to gain access
to 'DeleteTicket' privileges, allowing tickets to be
deleted without proper authorization. (CVE-2012-4733)

- A flaw exists where the 'rt' command-line tool uses
predictable temporary files. This allows a local
attacker, using a symlink, to overwrite arbitrary
files. (CVE-2013-3368)

- An flaw exists that allows a remote, authenticated
attacker who has permissions to view the administration
pages to call arbitrary Mason components without the
control of arguments (CVE-2013-3369)

- A flaw exists where the application does not restrict
direct requests to private callback components.
(CVE-2013-3370)

- A cross-site scripting vulnerability exists related to
attachment file names that allows a remote attacker to
inject arbitrary script or HTML. (CVE-2013-3371)

- An unspecified flaw exists that allows a remote attacker
to inject multiple Content-Disposition HTTP headers and
possibly conduct cross-site scripting attacks.
(CVE-2013-3372)

- A flaw exists in the email templates that allows a
remote attacker to inject MIME headers in email
generated by the application. (CVE-2013-3373)

- An information disclosure vulnerability exists due to
the re-use of the Apache::Session::File session store.
(CVE-2013-3374)

- A flaw exists due to improper validation of URLs in
tickets when the 'MakeClicky' component is enabled,
which allows cross-site scripting attacks. Note this
flaw only affects the RT 4.x branch. (CVE-2013-5587)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?4c8a91ea
http://www.nessus.org/u?e79fb8ab
http://seclists.org/fulldisclosure/2013/May/123

Solution :

Upgrade to Request Tracker 3.8.17 / 4.0.13 or later, or apply the
patch listed in the advisory.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false