Request Tracker 3.x < 3.8.15 / 4.x < 4.0.8 Multiple Vulnerabilities

medium Nessus Plugin ID 63065

Synopsis

The remote web server is running a Perl application that is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 3.x prior to 3.8.15 or version 4.x prior to 4.0.8. It is, therefore, potentially affected by the following vulnerabilities :

- Users can inject arbitrary headers into outgoing email provided they have ModifySelf or AdminUser privileges.
A remote attacker could exploit this to gain sensitive information or conduct phishing attacks. (CVE-2012-4730)

- Any privileged user can create articles in any class due to the application failing to properly verify user access rights. (CVE-2012-4731)

- A cross-site request forgery vulnerability exists that allows a remote attacker to hijack the authentication of users for requests that toggle ticket bookmarks.
(CVE-2012-4732)

- A warning bypass vulnerability exists that allows a 'confused deputy' attack during the handling of a specially crafted link. (CVE-2012-4734)

- A vulnerability exists that allows an attacker to send arbitrary arguments to the command line for the GnuPG client (if GnuPG is enabled), which could result in the creation of arbitrary files with the permissions of the web server. (CVE-2012-4884)

- Multiple vulnerabilities exist related to the improper signing or encryption of messages using GnuPG when GnuPG is enabled. (CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Request Tracker 3.8.15 / 4.0.8 or later.

See Also

http://www.nessus.org/u?2181f5d2

Plugin Details

Severity: Medium

ID: 63065

File Name: rt_3_8_15_or_4_0_8.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 11/27/2012

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:bestpractical:rt

Required KB Items: installed_sw/RT, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 10/26/2012

Vulnerability Publication Date: 10/25/2012

Reference Information

CVE: CVE-2012-4730, CVE-2012-4731, CVE-2012-4732, CVE-2012-4734, CVE-2012-4884, CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581

BID: 56290, 56291