Request Tracker 3.x < 3.8.12 / 4.x < 4.0.6 Multiple Vulnerabilities

high Nessus Plugin ID 61434

Synopsis

The remote web server is running a Perl application that is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 3.x prior to 3.8.12 or version 4.x prior to 4.0.6. It is, therefore, potentially affected by the following vulnerabilities :

- The 'vulnerable-passwords' script fails to update the password-hash of disabled users, which could enable an attacker to more easily determine plaintext passwords using brute force methods. (CVE-2011-2082)

- Multiple cross-site scripting vulnerabilities exist that an attacker can utilize to execute script code with the user's credentials. (CVE-2011-2083)

- A remote, authenticated attacker can read the hashes of former passwords and the ticket correspondence history by accessing a privileged account. (CVE-2011-2084)

- Multiple cross-site request forgery vulnerabilities exist which a remote attacker can exploit to hijack user authentication. (CVE-2011-2085)

- A remote code execution vulnerability exists if the optional VERP configuration options (VERPPrefix and VERPDomain) are enabled. (CVE-2011-4458)

- Groups are not properly disabled, allowing users in disabled groups to gain escalated privileges.
(CVE-2011-4459)

- A remote, authenticated attacker can inject SQL commands by utilizing access to a privileged account, allowing the disclosure or manipulation of arbitrary data on the back-end database. (CVE-2011-4460)

- An unspecified vulnerability exists that allows remote attackers to gain privileges or execute a restricted amount of arbitrary code. (CVE-2011-5092)

- The DisallowExecuteCode option is not properly implemented and allows a remote, authenticated attacker to bypass intended access restrictions and execute arbitrary code by using access to a privileged account.
(CVE-2011-5093)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Request Tracker 3.8.12 / 4.0.6 or later.

See Also

http://www.nessus.org/u?ebd34bfd

Plugin Details

Severity: High

ID: 61434

File Name: rt_3_8_12_or_4_0_6.nasl

Version: 1.11

Type: remote

Family: CGI abuses

Published: 8/6/2012

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:bestpractical:rt

Required KB Items: installed_sw/RT, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 5/22/2012

Vulnerability Publication Date: 5/22/2012

Reference Information

CVE: CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460, CVE-2011-5092, CVE-2011-5093

BID: 53660

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990