Administration
This page
Other pages
Account
Q: Why am I getting a Possible Cross-site Request Forgery warning from RT when I go to my bookmarked link?
"Request Tracker 4.0.5: Vastly more secure and slightly more annoying."
On this page:
Context
- Request Tracker (RT) on help.mit.edu, version 4.0.5
- Cross-site request protection in RT
- Ticket tracking at MIT
Answer
Tuesday, May 29th, 2012: Update
We will be deploying a small local modification to Request Tracker 4.0.5's new Cross-Site Request Forgery safeguards this evening around 21:30. This modification will make allowances for the pages Results.html and Simple.html in RT, which in turn will allow MIT community members to use searches bookmarked in their personal browser bookmarks without triggering the new RT CSRF security warnings. Note that other external actions redirecting to RT will still trigger the warning, which include external forms calling RT's Create.html page, or external sites linking directly to charts and bulk update screens.
Cross-Site Request Forgery protection in RT 4.0.5
The latest version of Request Tracker (RT), version 4.0.5, includes several security patches and protections to guard against a class of attacks called "Cross-site Request" attacks. These attacks take advantage of users with active RT sessions visiting 3rd-party, unrelated web sites under the control of the attacker, which then direct the browser to use the active session to execute actions in a web application.
One security safeguard implemented in RT 4.0.5 is that the application now checks the "Referrer" header of each request, to warn the user if a request that RT expects to come from inside the RT application came from an outside web site or page.
One category of actions that triggers this warning is if you bookmark an internal link to an RT action page, such as search results. Since clicking on your bookmark results in a request that technically originated outside the RT web application, you will see a warning screen like this:
(Click to enlarge)
If this is expected, as in the above scenario, because you just clicked on something that should take you to RT, simply click on click here to resume your request to complete the action.
If you see this screen at unexpected times, without your having initiated an action, then that is very suspicious and you should NOT click on the link to proceed. Instead you may want to report the web site that might have triggered this action to the MIT IT Security team.
When might you run into this message?
- Searches or specific RT pages bookmarked as personal browser bookmarks (this is the common case)
Work-around: How can I save a search in Request Tracker ? - The Help Desk escalation templates, which submit a create ticket form from a non-RT web page (not very common, HD only)
- The Help Desk Trend/Problem ticket create form (externally hosted form that calls RT's Create Ticket page, not very common, HD only)
- Request Tracker pages included in iFrames on other web pages (not very common)
In all of the above cases, if you initiated the action you can complete it by clicking on the click here to resume your request link and it will be processed normally. In any other case, carefully consider whether you want to complete the request. Only do so if you're sure you were on a legitimate MIT web site, which had reason to initiate and RT transaction using your credentials.
