Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks
From: Chris Knipe (savagesavage.za.org)
Date: Thu May 08 2003 - 06:38:14 CDT
----- Original Message -----
From: "Jesse Vincent" <jessebestpractical.com>
Sent: Thursday, May 08, 2003 1:14 PM
Subject: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site
> All versions of RT 1.0, up to and including RT 1.0.7 are vulnerable to
> a cross site scripting attack with content included in message bodies.
> If you use RT 1.0 to handle mail from unknown or possibly malicious
> users, an attacker could exploit this hole to perform actions within RT
> as any staff user who uses RT 1.0's web interface to view a malicious
> message. More information on CSS attacks is available at
> We recommend that all users upgrade to RT 2.0.15 or RT 3.0, as we don't
> currently plan to release a new version of RT 1.0.x (It's been
> retired for several years now.) If an end-user provides us with a
> verifiable patch to resolve this issue, we would be delighted to publish
> it as RT 1.0.8.
> Information about current versions of RT is available at
> http://bestpractical.com/rt. If, for some reason, you are unable to
> upgrade from RT 1.0.x and require commercial support, please address all
> inquiries to salesbestpractical.com.
> We are grateful to Troy Davis and the Semaphore Corporation for bringing
> this issue to our attention.
> Jesse Vincent
> Best Practical Solutions, LLC
> http://www.bestpractical.com/rt -- Trouble Ticketing. Free.
> rt-announce mailing list
> rt-users mailing list
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm