RequestTrackerSecurityReview
Security Review of Request Tracker
http://www.jadevine.org.uk/request-tracker/
General impression
- HUUUUGE (ca. 200.000 LOC)
- completely written in Perl
- code runs as www-data by default, so can potentially compromise all apache instances; can manually be configured to use apache's suexec, or a standalone server (/usr/bin/rt-standalone_httpd-3.4) though (depends on how many other apps apache servers in addition)
Security history
- 0 CANs
one XSS in old version in 2003 (http://www.gossamer-threads.com/lists/rt/announce/72, http://secunia.com/product/1542)
-> excellent
Installation
- A bit clumsy since db user initially must have CREATEDB privs; however, can be revoked after rt-setup-database
- Hangs with apache-worker (my default module), works with -prefork.
Source code
I could not review the whole source code, so I looked at some crucial points to get a general impression.
- general: does not use taint mode
- general: no unsafe exec/system calls
EmailParser.pm: correct temp file handling
- bin/rt.in (CLI client): looks good, uncritical
- bin/mason_handler.fcgi.in: ok
- XSS attempt failed, Mason properly escapes HTML meta characters automatically
encapsulates DB access over DBIx::SearchBuilder, which properly escapes quotes (I checked this)
RequestTrackerSecurityReview (last edited 2008-08-06 16:20:43 by localhost)