Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors.

According to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 3.8.x prior to 3.8.17 or version 4.x prior to 4.0.13. It is, therefore, potentially affected by the following vulnerabilities :

  - A flaw exists that allows a remote, authenticated     attacker with 'ModifyTicket' privileges to gain access     to 'DeleteTicket' privileges, allowing tickets to be     deleted without proper authorization. (CVE-2012-4733)

  - A flaw exists where the 'rt' command-line tool uses     predictable temporary files. This allows a local     attacker, using a symlink, to overwrite arbitrary     files. (CVE-2013-3368)

  - A flaw exists that allows a remote, authenticated     attacker who has permissions to view the administration     pages to call arbitrary Mason components without the     control of arguments (CVE-2013-3369)

  - A flaw exists where the application does not restrict     direct requests to private callback components.
    (CVE-2013-3370)

  - A cross-site scripting vulnerability exists related to     attachment file names that allows a remote attacker to     inject arbitrary script or HTML. (CVE-2013-3371)

  - An unspecified flaw exists that allows a remote attacker     to inject multiple Content-Disposition HTTP headers and     possibly conduct cross-site scripting attacks.
    (CVE-2013-3372)

  - A flaw exists in the email templates that allows a     remote attacker to inject MIME headers in email     generated by the application. (CVE-2013-3373)

  - An information disclosure vulnerability exists due to     the re-use of the Apache::Session::File session store.
    (CVE-2013-3374)

  - A flaw exists due to improper validation of URLs in     tickets when the 'MakeClicky' component is enabled,     which allows cross-site scripting attacks. Note this     flaw only affects the RT 4.x branch. (CVE-2013-5587)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of Request Tracker earlier than 3.8.17 and 4.0.13 are affected by the following vulnerabilities :

 - The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool. (CVE-2013-3368)
 - A malicious user who is allowed to see administration pages can run arbitrary Mason components (without control of arguments), which may have negative side-effects. (CVE-2013-3369)
 - RT allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely. (CVE-2013-3370)
 - Cross-site scripting attacks via attachment filenames. (CVE-2013-3371)
 - HTTP header injection limited to the value of the Content-Disposition header. (CVE-2013-3372)
 - A MIME header injection in outgoing email is possible via email templates. (Stock templates are resolved by updates, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines.) (CVE-2013-3373)
 - Request Tracker is vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. However Request Tracker's default session configuration only uses Apache::Session::File when configured for Oracle databases. (CVE-2013-3374)
 - RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. (CVE-2012-4733)

Thomas Sibley reports :

We discovered a number of security vulnerabilities which affect both RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following :

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom life cycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted 'URLs' in ticket content when RT's 'MakeClicky' feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this.
Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374.

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-4733     A user with the ModifyTicket right can bypass the     DeleteTicket right or any custom life cycle transition     rights and thus modify ticket data without     authorization.

  - CVE-2013-3368     The rt command line tool uses semi-predictable temporary     files. A malicious user can use this flaw to overwrite     files with permissions of the user running the rt     command line tool.

  - CVE-2013-3369     A malicious user who is allowed to see administration     pages can run arbitrary Mason components (without     control of arguments), which may have negative     side-effects.

  - CVE-2013-3370     Request Tracker allows direct requests to private     callback components, which could be used to exploit a     Request Tracker extension or a local callback which uses     the arguments passed to it insecurely.

  - CVE-2013-3371     Request Tracker is vulnerable to cross-site scripting     attacks via attachment filenames.

  - CVE-2013-3372     Dominic Hargreaves discovered that Request Tracker is     vulnerable to an HTTP header injection limited to the     value of the Content-Disposition header.

  - CVE-2013-3373     Request Tracker is vulnerable to a MIME header injection     in outgoing email generated by Request Tracker.

  Request Tracker stock templates are resolved by this update. But any   custom email templates should be updated to ensure that values   interpolated into mail headers do not contain newlines.

  - CVE-2013-3374     Request Tracker is vulnerable to limited session re-use     when using the file-based session store,     Apache::Session::File. However Request Tracker's default     session configuration only uses Apache::Session::File     when configured for Oracle databases.

This version of Request Tracker includes a database content upgrade.
If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker4/NEWS.Debian.gz for the manual steps to perform.

Please note that if you run request-tracker4 under the Apache web server, you must stop and start Apache manually. The 'restart' mechanism is not recommended, especially when using mod_perl or any form of persistent Perl process such as FastCGI or SpeedyCGI.

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-3368     The rt command line tool uses semi-predictable temporary     files. A malicious user can use this flaw to overwrite     files with permissions of the user running the rt     command line tool.

  - CVE-2013-3369     A malicious user who is allowed to see administration     pages can run arbitrary Mason components (without     control of arguments), which may have negative     side-effects.

  - CVE-2013-3370     Request Tracker allows direct requests to private     callback components, which could be used to exploit a     Request Tracker extension or a local callback which uses     the arguments passed to it insecurely.

  - CVE-2013-3371     Request Tracker is vulnerable to cross-site scripting     attacks via attachment filenames.

  - CVE-2013-3372     Dominic Hargreaves discovered that Request Tracker is     vulnerable to an HTTP header injection limited to the     value of the Content-Disposition header.

  - CVE-2013-3373     Request Tracker is vulnerable to a MIME header injection     in outgoing email generated by Request Tracker.

  Request Tracker stock templates are resolved by this update. But any   custom email templates should be updated to ensure that values   interpolated into mail headers do not contain newlines.

  - CVE-2013-3374     Request Tracker is vulnerable to limited session re-use     when using the file-based session store,     Apache::Session::File. However Request Tracker's default     session configuration only uses Apache::Session::File     when configured for Oracle databases.

This version of Request Tracker includes a database content upgrade.
If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker3.8/NEWS.Debian.gz for the manual steps to perform.

Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The 'restart' mechanism is not recommended, especially when using mod_perl or any form of persistent Perl process such as FastCGI or SpeedyCGI.

ID	Name	Product	Family	Severity
68996	Request Tracker 3.8.x < 3.8.17 / 4.x < 4.0.13 Multiple Vulnerabilities	Nessus	CGI abuses	medium
6841	RT: Request Tracker < 3.8.17 / 4.0.13 Multiple Vulnerabilities	Nessus Network Monitor	CGI	medium
66581	FreeBSD : RT -- multiple vulnerabilities (3a429192-c36a-11e2-97a9-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	medium
66547	Debian DSA-2671-1 : request-tracker4 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
66546	Debian DSA-2670-1 : request-tracker3.8 - several vulnerabilities	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2013-3372

medium

Tenable Plugins

medium

medium

medium

medium

medium