FAQ manager for Request Tracker (RTFM) before 2.4.5 does not properly check user rights, which allows remote authenticated users to create arbitrary articles in arbitrary classes via unknown vectors.

According to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 3.x prior to 3.8.15 or version 4.x prior to 4.0.8. It is, therefore, potentially affected by the following vulnerabilities :

  - Users can inject arbitrary headers into outgoing email     provided they have ModifySelf or AdminUser privileges.
    A remote attacker could exploit this to gain sensitive     information or conduct phishing attacks. (CVE-2012-4730)

  - Any privileged user can create articles in any class due     to the application failing to properly verify user     access rights. (CVE-2012-4731)

  - A cross-site request forgery vulnerability exists that     allows a remote attacker to hijack the authentication     of users for requests that toggle ticket bookmarks.
    (CVE-2012-4732)

  - A warning bypass vulnerability exists that allows a     'confused deputy' attack during the handling of a     specially crafted link. (CVE-2012-4734)

  - A vulnerability exists that allows an attacker to send     arbitrary arguments to the command line for the GnuPG     client (if GnuPG is enabled), which could result in the     creation of arbitrary files with the permissions of the     web server. (CVE-2012-4884)

  - Multiple vulnerabilities exist related to the improper     signing or encryption of messages using GnuPG when GnuPG     is enabled. (CVE-2012-6578, CVE-2012-6579,     CVE-2012-6580, CVE-2012-6581)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

BestPractical report :

All versions of RT are vulnerable to an email header injection attack.
Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing.

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class.

All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks.

All versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process.

RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you.

It was discovered that RTFM, the FAQ manager for Request Tracker, allows authenticated users to create articles in any class.

ID	Name	Product	Family	Severity
63065	Request Tracker 3.x < 3.8.15 / 4.x < 4.0.8 Multiple Vulnerabilities	Nessus	CGI abuses	medium
62793	FreeBSD : RT -- Multiple Vulnerabilities (4b738d54-2427-11e2-9817-c8600054b392)	Nessus	FreeBSD Local Security Checks	medium
62723	Debian DSA-2568-1 : rtfm - privilege escalation	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2012-4731

medium

Tenable Plugins

medium

medium

medium