Security vulnerabilities in RT

Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at:

http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. The patches require version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling:

Could not send mail with command `[...]`:
   Can't locate object method "FILENO" via package "FCGI::Stream"

If you need help resolving these security issues, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

RT 4.0.5 Released

I'm happy to announce that RT 4.0.5 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.4 release; a few of the more notable ones include:

• Greatly improved print CSS
• New Config option - HideResolveActionsWithDependencies removes actions such as Resolve from the action menu on tickets with outstanding dependencies
• New Config option - AutocompleteOwnersForSearch allows admins to force an Owner autocompleter in the Query Builder
• New Config option - NoTicketInterfaceForApprovals redirects users to the Approvals interface if they visit an Approval ticket in the regular RT UI
• Improved Simple Search documentation and new 'any' keyword for any status
• Improved case insensitivity in the User and Custom Field Autocompleters
• new --enable-ssl-mailgate configure option and rt-mailgate options to assist with setting rt-mailgate up to talk to your ssl enabled RT server
• More improvements to email quote detection to handle Outlook quoting
• The CreateTickets action now supports adding Groups as Watchers
• httpurl_overwrite no longer inserts spaces into your URLs
• Added NBSP as a search column in the Query Builder
• Maintain Approved/Denied state in the radio button on past Approvals
• Fixes for Bookmarked ticket searches
• Bugfixes for OverrideOutgoingMailFrom and sending bounces
• More consistent ordering of Articles
• Improvements to menu internals, including fixes for Search collections and localization of key names
• Preserve Content-Disposition when redistributing mail
• Improved PGP handling for .asc attachments with misleading content-types
• By default, RT's session cookie will not be available to javascript
• Allow Charts to be grouped by Told.
• Test and localization cleanups.

Boston RT Training Reminder — March 5 & 6, 2012

March 2012 will bring a two-day RT training session to our hometown of Boston! To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

Our 2012 training session highlights the new features available in RT 4.

Day 1 covers

• RT basics and concepts, concentrating on giving you an RT vocabulary and introducing you to parts of the basic and admin UI
• Installing, upgrading and deploying RT
• Mail and commandline access to RT
• Escalations and notifications using the backend tools
• Finding and installing extensions for RT and a walkthrough of common and popular extensions.

Day 2 covers

• Deeper exploration of the Admin UI covering Users, Groups, ACLs, Lifecycles, Scrips, Templates, Approvals and Articles
• Database administration and Full Text Searching
• Using external authentication with your RT
• Learn to build your own RT extension to apply customizations in a way that minimizes conflicts during an upgrade

A spot at either day costs $995 USD, but you can save 25% if you attend both days of training. That's just $1495 USD!

Reservations

We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store. If you'd prefer to reserve a seat and have us bill you, please write to us training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

A tiny Christmas present for the Perl community

PAUSE has long had an SSL certificate signed with a CAcert  key. CAcert's aims are noble, but over the past few years, browsers have become incredibly cranky about SSL certificates from all but a few trusted providers.

As a small treat for the Perl community, Best Practical has just bought a "proper"  SSL certificate for https://pause.perl.org. We'd like to thank Andreas König for his tireless work to operate and maintain PAUSE and his help in making this happen.

RT Training in Boston — March 5 & 6, 2012

March 2012 will bring a two-day RT training session to our hometown of Boston!

To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

What does training cover?

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, workflows and configurability. We'll touch on basic administration, but concentrate largely on helping you and your team get the most out of your RT instance.

The second day of training picks up with RT administration and dives into what you need to safely customize and extend RT. We'll cover point-and-click configuration, upgrading and installing RT, development best practices, RT's API, building an extension, and database tuning.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

We're hiring! Come hack Perl for Best Practical.

About us

We're Best Practical Solutions, a small software company located in Somerville, MA. We build software and sell support, training, consulting, and custom development. Our main product, RT (Request Tracker), is the premiere open source issue tracking system. We've been around for a decade, and things just keep getting busier.

About the job

We're looking for a Perl hacker to help us enhance and refine our products, and as well as to be excellent to our customers. You'll be responsible for everything from implementing new features, to testing and applying user-contributed patches to our released software. In a typical week, you'll probably spend about half your time working on internal and open source projects, and half working on customer projects; this requires good communication skills, as well as a desire to help customers get the most out of our software.

The hours are flexible, and we all telecommute some of the time...though we work from our office in the heart of Davis Square, Somerville on most days. While we do a fair amount of our collaboration in-person, you should also be comfortable using email and instant messaging to coordinate and get work done, as we have a few employees in other parts of the globe.

About you

You should be a self-starter who has solid experience with Perl, as well as some experience with at least a few of the following buzzwords:

• Open source development practices (code review, backcompat)
• Distributed source control (git, branching, patches)
• Test driven development (smoke testing, Test::More)
• User interface design (HTML, CSS)
• Documentation (user-facing, API)
• Javascript (jQuery, events, AJAX)
• SQL databases (MySQL, PostgreSQL, Oracle, SQLite)
• Optimization, profiling, and debugging (nytprof)
• UNIX systems administration (webservers, mailservers)

It's okay if you don't know everything out of the gate, but you should be able to learn on the fly and be comfortable asking questions when you get in over your head. RT is a large codebase to dive into, so you should be prepared to work with a project that's too big to hold in your head all at once. If you want to see what sort of trouble you're getting yourself into, you can find all of our open source code on github.

We're a small company; you should be comfortable working both independently and in small teams, and prioritizing tasks on your own. Being able to task-switch efficiently and juggle several projects at once is a necessity.

Compensation

DOE - This is a full-time salaried position, but the details are negotiable. We're a small, self funded company. The standard benefits apply, of course: health insurance, dental insurance, and junk food to make that dental insurance worthwhile.

How to apply

Send something approximating a cover letter, a resume in plain text, HTML or PDF, and a sample of some code you've written to resumes@bestpractical.com. If you're involved in open source development of one kind or another, please tell us about it. If you have a CPAN ID tell us what it is; we won't consider applications without some sort of code example to look at. We'll be paying particular attention to the readability, comments, and tests.

RT 4.0.4 Released, fixes RT 3 -> 4.0.3 upgrade regression

RT 4.0.3 contained a serious bug wherein upgrades from any version of RT 3 to RT 4.0.3 broke template interpolation; please do not use it. If you had previously upgraded from RT 3 to RT 4.0.0, 4.0.1, or 4.0.2, before upgrading to RT 4.0.3, you are not affected by this bug.

If you are currently running RT 4.0.3 and are affected by this issue, upgrading to RT 4.0.4 will resolve it.

Download it here

RT 4.0.3 Released

I'm happy to announce that RT 4.0.3 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.2 release; a few of the more notable ones include:

• Due to a change in RT 3.8.9, which also affected RT 4.0.0 and higher, TransactionBatch scrips were run twice; this has now been fixed.

• A new toggle has been added to expand all quote folding in a ticket's transaction history.

• New "On Forward", "On Forward Transaction" and "On Forward Ticket" conditions have been added.

• Ticket searches no longer forget which saved search they were loaded from when being updated.

• A new "make jsmin" target has been added to aid in downloading, compiling, and installing jsmin.

• Improved threading for automatically generated emails concerning a ticket.

• Improved detection of Outlook-style message fowarding headers.

• No longer error when a user has supplied a non-existant RT style; instead, fall back to the default. This is particularly relevant for users coming RT 3.8 with the 3.6 stylesheet applied, which no longer exists in 4.0.

• Improved handling of files named "0", and Unicode filenames, in file uploads.

• Tickets can no longer be linked to deleted tickets.

• Restore missing menus on simple search result pages.

• Fix support for perl 5.12 and later by removing a deprecated use of "defined %hash".

RT 3.8.11 Released

I'm happy to announce that RT 3.8.11 is now available.

This release contains a number of bugfixes and a minor security update in one of our dependencies:

• Adjust FCGI dependency to one which resolves FCGI's CVE-2011-2766

• New WebHttpOnlyCookies option, enabled by default, which hides RT's cookie from direct Javascript access.

• Compatibility with perl 5.12 and 5.14, by removing deprecated "for qw(...)" and "defined %hash" syntax.

• MySQL 5.5 compatibility, by specifying ENGINE=InnoDB rather than TYPE=InnoDB

• Ensure that RT::Interface::Web's _Overlay, _Local, and _Vendor files are loaded correctly.

• Fix session cleaner for on-disk sessions, broken since 3.8.0.

• Ensure that only one "Based on" attribute is stored for each custom field.

• Fix the loading of Shredder plugins, broken in 3.8.10.

How the University of Oxford uses RT

Ever wonder how a large organization uses RT? The University of Oxford's Computing Services, a very long time user of RT, published a blog post last week giving a peek into their use cases and workflows.