CVE-2011-1007
First published: Mon Feb 28 2011(Updated: )
Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bestpractical Rt | <=3.8.9 | |
| Bestpractical Rt | =3.0.4 | |
| Bestpractical Rt | =2.0.7 | |
| Bestpractical Rt | =3.8.9-rc2 | |
| Bestpractical Rt | =3.0.8 | |
| Bestpractical Rt | =3.8.8-rc2 | |
| Bestpractical Rt | =3.8.9-rc1 | |
| Bestpractical Rt | =2.0.6 | |
| Bestpractical Rt | =3.4.5 | |
| Bestpractical Rt | =3.0.2 | |
| Bestpractical Rt | =2.0.14 | |
| Bestpractical Rt | =3.6.7 | |
| Bestpractical Rt | =3.6.2 | |
| Bestpractical Rt | =3.2.2 | |
| Bestpractical Rt | =3.6.3 | |
| Bestpractical Rt | =3.0.11 | |
| Bestpractical Rt | =3.8.2 | |
| Bestpractical Rt | =3.8.8-rc4 | |
| Bestpractical Rt | =2.0.15 | |
| Bestpractical Rt | =3.6.0 | |
| Bestpractical Rt | =2.0.5.3 | |
| Bestpractical Rt | =1.0.7 | |
| Bestpractical Rt | =1.0.1 | |
| Bestpractical Rt | =3.8.0 | |
| Bestpractical Rt | =3.4.0 | |
| Bestpractical Rt | =1.0.5 | |
| Bestpractical Rt | =2.0.8.2 | |
| Bestpractical Rt | =2.0.13 | |
| Bestpractical Rt | =3.0.10 | |
| Bestpractical Rt | =3.8.8-rc3 | |
| Bestpractical Rt | =2.0.11 | |
| Bestpractical Rt | =2.0.0 | |
| Bestpractical Rt | =2.0.1 | |
| Bestpractical Rt | =3.2.3 | |
| Bestpractical Rt | =2.0.2 | |
| Bestpractical Rt | =3.0.5 | |
| Bestpractical Rt | =3.2.0 | |
| Bestpractical Rt | =3.0.0 | |
| Bestpractical Rt | =3.4.6 | |
| Bestpractical Rt | =3.0.3 | |
| Bestpractical Rt | =3.4.3 | |
| Bestpractical Rt | =2.0.8 | |
| Bestpractical Rt | =3.6.9 | |
| Bestpractical Rt | =3.6.6 | |
| Bestpractical Rt | =2.0.5 | |
| Bestpractical Rt | =3.6.5 | |
| Bestpractical Rt | =1.0.2 | |
| Bestpractical Rt | =1.0.0 | |
| Bestpractical Rt | =3.0.1 | |
| Bestpractical Rt | =3.2.1 | |
| Bestpractical Rt | =3.8.5 | |
| Bestpractical Rt | =2.0.5.1 | |
| Bestpractical Rt | =3.4.4 | |
| Bestpractical Rt | =3.6.8 | |
| Bestpractical Rt | =1.0.4 | |
| Bestpractical Rt | =3.0.6 | |
| Bestpractical Rt | =3.8.6-rc1 | |
| Bestpractical Rt | =3.0.7 | |
| Bestpractical Rt | =3.0.7.1 | |
| Bestpractical Rt | =3.0.12 | |
| Bestpractical Rt | =3.0.9 | |
| Bestpractical Rt | =3.8.3 | |
| Bestpractical Rt | =3.6.1 | |
| Bestpractical Rt | =3.4.1 | |
| Bestpractical Rt | =3.8.6 | |
| Bestpractical Rt | =3.6.4 | |
| Bestpractical Rt | =2.0.4 | |
| Bestpractical Rt | =1.0.6 | |
| Bestpractical Rt | =3.8.1 | |
| Bestpractical Rt | =3.8.4 | |
| Bestpractical Rt | =2.0.9 | |
| Bestpractical Rt | =1.0.3 | |
| Bestpractical Rt | =2.0.3 | |
| Bestpractical Rt | =2.0.12 | |
| Bestpractical Rt | =3.8.7-rc1 | |
| Bestpractical Rt | =3.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2011/02/24/8
- http://issues.bestpractical.com/Ticket/Display.html?id=15804
- http://openwall.com/lists/oss-security/2011/02/22/6
- http://openwall.com/lists/oss-security/2011/02/23/22
- http://openwall.com/lists/oss-security/2011/02/24/9
- http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html
- http://www.vupen.com/english/advisories/2011/0475
- http://openwall.com/lists/oss-security/2011/02/24/7
- https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4
- http://openwall.com/lists/oss-security/2011/02/22/12
- http://secunia.com/advisories/43438
- http://openwall.com/lists/oss-security/2011/02/22/16
- https://github.com/bestpractical/rt/commit/057552287159e801535e59b8fbd5bd98d1322069
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575
- http://osvdb.org/71012
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65771
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/bestpractical
- canonical/bestpractical rt
- version/bestpractical rt/3.8.9
- version/bestpractical rt/3.0.4
- version/bestpractical rt/2.0.7
- version/bestpractical rt/3.8.9-rc2
- version/bestpractical rt/3.0.8
- version/bestpractical rt/3.8.8-rc2
- version/bestpractical rt/3.8.9-rc1
- version/bestpractical rt/2.0.6
- version/bestpractical rt/3.4.5
- version/bestpractical rt/3.0.2
- version/bestpractical rt/2.0.14
- version/bestpractical rt/3.6.7
- version/bestpractical rt/3.6.2
- version/bestpractical rt/3.2.2
- version/bestpractical rt/3.6.3
- version/bestpractical rt/3.0.11
- version/bestpractical rt/3.8.2
- version/bestpractical rt/3.8.8-rc4
- version/bestpractical rt/2.0.15
- version/bestpractical rt/3.6.0
- version/bestpractical rt/2.0.5.3
- version/bestpractical rt/1.0.7
- version/bestpractical rt/1.0.1
- version/bestpractical rt/3.8.0
- version/bestpractical rt/3.4.0
- version/bestpractical rt/1.0.5
- version/bestpractical rt/2.0.8.2
- version/bestpractical rt/2.0.13
- version/bestpractical rt/3.0.10
- version/bestpractical rt/3.8.8-rc3
- version/bestpractical rt/2.0.11
- version/bestpractical rt/2.0.0
- version/bestpractical rt/2.0.1
- version/bestpractical rt/3.2.3
- version/bestpractical rt/2.0.2
- version/bestpractical rt/3.0.5
- version/bestpractical rt/3.2.0
- version/bestpractical rt/3.0.0
- version/bestpractical rt/3.4.6
- version/bestpractical rt/3.0.3
- version/bestpractical rt/3.4.3
- version/bestpractical rt/2.0.8
- version/bestpractical rt/3.6.9
- version/bestpractical rt/3.6.6
- version/bestpractical rt/2.0.5
- version/bestpractical rt/3.6.5
- version/bestpractical rt/1.0.2
- version/bestpractical rt/1.0.0
- version/bestpractical rt/3.0.1
- version/bestpractical rt/3.2.1
- version/bestpractical rt/3.8.5
- version/bestpractical rt/2.0.5.1
- version/bestpractical rt/3.4.4
- version/bestpractical rt/3.6.8
- version/bestpractical rt/1.0.4
- version/bestpractical rt/3.0.6
- version/bestpractical rt/3.8.6-rc1
- version/bestpractical rt/3.0.7
- version/bestpractical rt/3.0.7.1
- version/bestpractical rt/3.0.12
- version/bestpractical rt/3.0.9
- version/bestpractical rt/3.8.3
- version/bestpractical rt/3.6.1
- version/bestpractical rt/3.4.1
- version/bestpractical rt/3.8.6
- version/bestpractical rt/3.6.4
- version/bestpractical rt/2.0.4
- version/bestpractical rt/1.0.6
- version/bestpractical rt/3.8.1
- version/bestpractical rt/3.8.4
- version/bestpractical rt/2.0.9
- version/bestpractical rt/1.0.3
- version/bestpractical rt/2.0.3
- version/bestpractical rt/2.0.12
- version/bestpractical rt/3.8.7-rc1
- version/bestpractical rt/3.4.2