csp icon indicating copy to clipboard operation
csp copied to clipboard

Published 20 hours ago verified publisher icon melicertes

RT/RTIR: Modifying private tickets via UUID spoofing

Open rommelfs opened this issue 5 years ago • 4 comments

In a sharing environment where org A and org B are present. org B has a ticket with UUID X, which is private (not shared) org A has a ticket and sets it to UUID X. The non-shared org B ticket is being modified.

rommelfs avatar Jun 05 '19 07:06 rommelfs

@rommelfs thanks for this. We will investigate this further.

intrasoft-rmalik avatar Jun 05 '19 10:06 intrasoft-rmalik

This is correct, User should not edit UUID manually, We have to set the UUID input field to read only or hidden field.

majidsalehighamsari avatar Jun 06 '19 11:06 majidsalehighamsari

Great, that's really good to hear. While you're on it, please make sure it can not be modified through the command line interface RT client, the REST API or modified POST requests. If you could think of other ways, feel free to add them to the list.

rommelfs avatar Jun 06 '19 12:06 rommelfs

Even better, let's hope that no CSP user ever gains access to their SQL. Or perhaps, having a mechanism that doesn't allow any modifications from other CSP nodes to private data / no way to take over tickets would be even more helpful.

iglocska avatar Jun 06 '19 12:06 iglocska