Security vulnerabilities in three commonly deployed RT extensions
We have determined a number of security vulnerabilities in commonly installed RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.
We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.
RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.
Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.
RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.
RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.
The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.