Security Review of Request Tracker

http://www.jadevine.org.uk/request-tracker/

General impression

• HUUUUGE (ca. 200.000 LOC)
• completely written in Perl
• code runs as www-data by default, so can potentially compromise all apache instances; can manually be configured to use apache's suexec, or a standalone server (/usr/bin/rt-standalone_httpd-3.4) though (depends on how many other apps apache servers in addition)

Security history

• 0 CANs

• one XSS in old version in 2003 (http://www.gossamer-threads.com/lists/rt/announce/72, http://secunia.com/product/1542)

-> excellent

Installation

• A bit clumsy since db user initially must have CREATEDB privs; however, can be revoked after rt-setup-database
• Hangs with apache-worker (my default module), works with -prefork.

Source code

I could not review the whole source code, so I looked at some crucial points to get a general impression.

• general: does not use taint mode
• general: no unsafe exec/system calls

• EmailParser.pm: correct temp file handling

• bin/rt.in (CLI client): looks good, uncritical
• bin/mason_handler.fcgi.in: ok
• XSS attempt failed, Mason properly escapes HTML meta characters automatically

• encapsulates DB access over DBIx::SearchBuilder, which properly escapes quotes (I checked this)

CategoryArchive