Request Tracker 3.8.x < 3.8.17 / 4.x < 4.0.13 Multiple Vulnerabilities

medium Nessus Plugin ID 68996

Synopsis

The remote web server is running a Perl application that is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 3.8.x prior to 3.8.17 or version 4.x prior to 4.0.13. It is, therefore, potentially affected by the following vulnerabilities :

- A flaw exists that allows a remote, authenticated attacker with 'ModifyTicket' privileges to gain access to 'DeleteTicket' privileges, allowing tickets to be deleted without proper authorization. (CVE-2012-4733)

- A flaw exists where the 'rt' command-line tool uses predictable temporary files. This allows a local attacker, using a symlink, to overwrite arbitrary files. (CVE-2013-3368)

- A flaw exists that allows a remote, authenticated attacker who has permissions to view the administration pages to call arbitrary Mason components without the control of arguments (CVE-2013-3369)

- A flaw exists where the application does not restrict direct requests to private callback components.
(CVE-2013-3370)

- A cross-site scripting vulnerability exists related to attachment file names that allows a remote attacker to inject arbitrary script or HTML. (CVE-2013-3371)

- An unspecified flaw exists that allows a remote attacker to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting attacks.
(CVE-2013-3372)

- A flaw exists in the email templates that allows a remote attacker to inject MIME headers in email generated by the application. (CVE-2013-3373)

- An information disclosure vulnerability exists due to the re-use of the Apache::Session::File session store.
(CVE-2013-3374)

- A flaw exists due to improper validation of URLs in tickets when the 'MakeClicky' component is enabled, which allows cross-site scripting attacks. Note this flaw only affects the RT 4.x branch. (CVE-2013-5587)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Request Tracker 3.8.17 / 4.0.13 or later, or apply the patch listed in the advisory.

See Also

http://www.nessus.org/u?4c8a91ea

http://www.nessus.org/u?e79fb8ab

https://seclists.org/fulldisclosure/2013/May/123

Plugin Details

Severity: Medium

ID: 68996

File Name: rt_4013.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 7/22/2013

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:bestpractical:rt

Required KB Items: installed_sw/RT, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 5/22/2013

Vulnerability Publication Date: 5/22/2013

Reference Information

CVE: CVE-2012-4733, CVE-2013-3368, CVE-2013-3369, CVE-2013-3370, CVE-2013-3371, CVE-2013-3372, CVE-2013-3373, CVE-2013-3374, CVE-2013-5587

BID: 60083, 60091, 60093, 60094, 60095, 60096, 60105, 60106, 62014

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990