[H-GEN] Request tracker 1 or 2

Jason Henry Parker jasonp at uq.net.au
Thu Mar 28 23:21:53 EST 2002


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Greg Black <gjb at humbug.org.au> writes:

>     Date: Wed, 27 Mar 2002 23:16:35 -0500
>     From: Jesse Vincent <jesse at bestpractical.com>
>     To: rt-announce at fsck.com
>     Message-ID: <20020327231635.A20019 at fsck.com>
>     Subject: [rt-announce] RT 2.0.13 - CRITICAL FIX FOR REMOTE EXPLOIT
> 
>     45 minutes ago, I was informed of a remotely exploitable
>     bug in RT 2.0's password verification routine that can
>     allow remote users who have HTTP access to an RT 
>     instance's web interface to gain administrative 
>     permissions. This bug affects ALL releases of RT 2.0 
>     prior to 2.0.13.

Quite frankly I'm not at all surprised.  RT 2.0's password handling is
an abomination.
-- 
||----|---|------------|--|-------|------|-----------|-#---|-|--|------||
|                                                      jasonp at uq.net.au |
| `Duck.  Duck.  Duck.  Duck.  Duck.  Duck.' -- Ann Burlingham          |
||--|--------|--------------|----|-------------|------|---------|-----|-|

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list