Detections
Analytics

FreeBSD : RT -- Multiple Vulnerabilities (e0a969e4-a512-11e1-90b4-e0cb4e266481)

medium Nessus Plugin ID 59283

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

BestPractical report :

Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following :

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF). CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group.
CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?ebd34bfd

http://www.nessus.org/u?bb1ef315

Plugin Details

Severity: Medium

ID: 59283

File Name: freebsd_pkg_e0a969e4a51211e190b4e0cb4e266481.nasl

Version: 1.6

Type: local

Published: 5/29/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:rt38, p-cpe:/a:freebsd:freebsd:rt40, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/23/2012

Vulnerability Publication Date: 5/22/2012

Reference Information

CVE: CVE-2011-0009, CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460