Request Tracker (RT)

Open-source ticketing system by Best Practical Solutions.

Common Path: /rt/

Discovery

# Look for RT paths
/rt/
/rt/login
/rt/NoAuth/Login.html

# Version in footer
»|« RT 4.4.4+dfsg-2ubuntu1 (Debian)

Default Credentials

Username

Password

root

password

admin

Post-Authentication Enumeration

Users

Admin → Users → Select

Look for:

Additional usernames
User comments (often contain temp passwords like "Initial password set to Welcome2023!")
Email addresses

Tickets

Browse tickets for:

Sensitive attachments
Passwords in ticket body
Internal hostnames/IPs
Application names/versions

Interesting Endpoints

Path

Description

/rt/Admin/Users/Modify.html?id=X

User details (may contain passwords in comments)

/rt/Ticket/Display.html?id=X

View ticket

/rt/Search/Results.html

Search all tickets

/rt/Admin/

Admin panel

Known Vulnerabilities

CVE-2022-25802 - XSS

Stored XSS in ticket subject/body.

CVE-2021-38562 - Information Disclosure

Unauthenticated user enumeration via timing attack.

Config Files

/opt/rt4/etc/RT_SiteConfig.pm
/etc/request-tracker4/RT_SiteConfig.d/

May contain database credentials:

Set($DatabaseType, 'mysql');
Set($DatabaseUser, 'rt_user');
Set($DatabasePassword, 'password');

PreviousApache ActiveMQ NextCMS Made Simple

Last updated 25 days ago

hashtagDiscovery

hashtagDefault Credentials

hashtagPost-Authentication Enumeration

hashtagUsers

hashtagTickets

hashtagInteresting Endpoints

hashtagKnown Vulnerabilities

hashtagCVE-2022-25802 - XSS

hashtagCVE-2021-38562 - Information Disclosure

hashtagConfig Files