[H-GEN] Request tracker 1 or 2
Jason Henry Parker
jasonp at uq.net.au
Thu Mar 28 23:21:53 EST 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
Greg Black <gjb at humbug.org.au> writes:
> Date: Wed, 27 Mar 2002 23:16:35 -0500
> From: Jesse Vincent <jesse at bestpractical.com>
> To: rt-announce at fsck.com
> Message-ID: <20020327231635.A20019 at fsck.com>
> Subject: [rt-announce] RT 2.0.13 - CRITICAL FIX FOR REMOTE EXPLOIT
>
> 45 minutes ago, I was informed of a remotely exploitable
> bug in RT 2.0's password verification routine that can
> allow remote users who have HTTP access to an RT
> instance's web interface to gain administrative
> permissions. This bug affects ALL releases of RT 2.0
> prior to 2.0.13.
Quite frankly I'm not at all surprised. RT 2.0's password handling is
an abomination.
--
||----|---|------------|--|-------|------|-----------|-#---|-|--|------||
| jasonp at uq.net.au |
| `Duck. Duck. Duck. Duck. Duck. Duck.' -- Ann Burlingham |
||--|--------|--------------|----|-------------|------|---------|-----|-|
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list