Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1007

Overview

Vulnerability Score 2.1 2.1
CVE Id CVE-2011-1007
Last Modified 10 Mar 2011 10:51:12
Published 28 Feb 2011 11:00:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2011-1007

Summary

Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.

Vulnerable Systems

Application

  • Bestpractical Rt 1.0.0

  • Bestpractical Rt 1.0.1

  • Bestpractical Rt 1.0.2

  • Bestpractical Rt 1.0.3

  • Bestpractical Rt 1.0.4

  • Bestpractical Rt 1.0.5

  • Bestpractical Rt 1.0.6

  • Bestpractical Rt 1.0.7

  • Bestpractical Rt 2.0.0

  • Bestpractical Rt 2.0.1

  • Bestpractical Rt 2.0.11

  • Bestpractical Rt 2.0.12

  • Bestpractical Rt 2.0.13

  • Bestpractical Rt 2.0.14

  • Bestpractical Rt 2.0.15

  • Bestpractical Rt 2.0.2

  • Bestpractical Rt 2.0.3

  • Bestpractical Rt 2.0.4

  • Bestpractical Rt 2.0.5

  • Bestpractical Rt 2.0.5.1

  • Bestpractical Rt 2.0.5.3

  • Bestpractical Rt 2.0.6

  • Bestpractical Rt 2.0.7

  • Bestpractical Rt 2.0.8

  • Bestpractical Rt 2.0.8.2

  • Bestpractical Rt 2.0.9

  • Bestpractical Rt 3.0.0

  • Bestpractical Rt 3.0.1

  • Bestpractical Rt 3.0.10

  • Bestpractical Rt 3.0.11

  • Bestpractical Rt 3.0.12

  • Bestpractical Rt 3.0.2

  • Bestpractical Rt 3.0.3

  • Bestpractical Rt 3.0.4

  • Bestpractical Rt 3.0.5

  • Bestpractical Rt 3.0.6

  • Bestpractical Rt 3.0.7

  • Bestpractical Rt 3.0.7.1

  • Bestpractical Rt 3.0.8

  • Bestpractical Rt 3.0.9

  • Bestpractical Rt 3.2.0

  • Bestpractical Rt 3.2.1

  • Bestpractical Rt 3.2.2

  • Bestpractical Rt 3.2.3

  • Bestpractical Rt 3.4.0

  • Bestpractical Rt 3.4.1

  • Bestpractical Rt 3.4.2

  • Bestpractical Rt 3.4.3

  • Bestpractical Rt 3.4.4

  • Bestpractical Rt 3.4.5

  • Bestpractical Rt 3.4.6

  • Bestpractical Rt 3.6.0

  • Bestpractical Rt 3.6.1

  • Bestpractical Rt 3.6.2

  • Bestpractical Rt 3.6.3

  • Bestpractical Rt 3.6.4

  • Bestpractical Rt 3.6.5

  • Bestpractical Rt 3.6.6

  • Bestpractical Rt 3.6.7

  • Bestpractical Rt 3.6.8

  • Bestpractical Rt 3.6.9

  • Bestpractical Rt 3.8.0

  • Bestpractical Rt 3.8.1

  • Bestpractical Rt 3.8.2

  • Bestpractical Rt 3.8.3

  • Bestpractical Rt 3.8.4

  • Bestpractical Rt 3.8.5

  • Bestpractical Rt 3.8.6

  • Bestpractical Rt 3.8.7

  • Bestpractical Rt 3.8.8

  • Bestpractical Rt 3.8.9


References

CONFIRM - https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4

CONFIRM - https://github.com/bestpractical/rt/commit/057552287159e801535e59b8fbd5bd98d1322069

MLIST - [oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

MLIST - [oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

MLIST - [rt-announce] 20110216 RT 3.8.9 Released

CONFIRM - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575

XF - rt-login-information-disclosure(65771)

VUPEN - ADV-2011-0475

SECUNIA - 43438

OSVDB - 71012

MLIST - [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

MLIST - [oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

CONFIRM - http://issues.bestpractical.com/Ticket/Display.html?id=15804


Last Updated: 27 May 2016 10:56:07