OTRS 1.x/2.x Multiple Security Issues

2005-11-22 / 2005-11-23
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0007 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ OTRS 1.x/2.x Multiple Security Issues +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON Nov 22, 2005 PUBLISHED AT http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ SECURITY at MORITZ hyphon NAUMANN d0t COM GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE OTRS http://www.otrs.org/ OTRS, the Open Source Ticket Request System, is a trouble ticket system which allows for managing customer telephone calls and e-mails. AFFECTED VERSIONS Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up to and including 1.3.2. ISSUES OTRS is subject to multiple security vulnerabilities, ranging from cross site scripting to SQL injection. >>> 1. SQL injection #1 A malicious user may be able to conduct blind SQL code injection on the OTRS 'Login' function. Successful authentication is NOT required. By injecting a LEFT JOIN statement into the authentication database SQL query, an attacker may be able to exploit this issue. The following partial URL demonstrates this issue: [OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE] This results in an SQL error message being logged in the OTRS system log. >>> 2. SQL injection #2 A malicious user may be able to conduct blind SQL code injection on the OTRS 'AgentTicketPlain' function in the 'TicketID' parameter. Successful authentication IS required, however, a non-authenticated user will be prompted for her login credentials and the attack will still be carried out after the login succeeded. By injecting a LEFT JOIN statement into the SQL query, an attacker may be able to exploit this issue. The following partial URL demonstrates this issue: [OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&Ticket ID=1%20[SQL_HERE] This results in an SQL error message being logged in the OTRS system log. >>> 3. SQL injection #3 A malicious user may be able to conduct blind SQL code injection on the OTRS 'AgentTicketPlain' function in the 'ArticleID' parameter. Successful authentication IS required, however, a non-authenticated user will be prompted for her login credentials and the attack will still be carried out after the login succeeded. By injecting a LEFT JOIN statement into the SQL query, an attacker may be able to exploit this issue. The following partial URL demonstrates this issue: [OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&Article ID=1%20[SQL_HERE] This results in an SQL error message being logged in the OTRS system log. >>> 4. Cross Site Scripting #1 OTRS is subject to a XSS vulnerability on the file attachment display function. An attacker may send malicious code inside an email attachment of Content-Type "text/html". A queue moderator clicking the attachment download button (disk symbol) on a ticket created based on a HTML email will have this attachment rendered by her browser. Thus, any malicious client side code included in the HTML attachment will be executed in the security context of the OTRS domain. This refers to the default configuration (AttachmentDownloadType = "inline") but does not apply if AttachmentDownloadType is set to "attachment". >>> 5. Cross Site Scripting #2 OTRS is subject to a XSS vulnerability on the queue selection function. An attacker may inject arbitrary client side script code into the 'QueueID' parameter. Successful authentication IS required, however, a non-authenticated user will be prompted for her login credentials and the attack will still be carried out after the login succeeded. The following partial URL demonstrates this issue: [OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B %3C/script%3E%3Cx%20y=%22 >>> 6. Cross Site Scripting #3 OTRS is subject to a XSS vulnerability on the 'Action' parameter. An attacker may inject arbitrary client side script code into this parameter. To exploit this issue, successful authentication IS required, however, a non-authenticated user will be prompted for her login credentials and the attack will still be carried out after the login succeeded. The following partial URL demonstrates this issue: [OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script> <x%20" This is only exploitable on web browsers which perform limited URL encoding before submitting user input, such as Internet Explorer (tested on v6.2900.2180 including all patches on Windows XP SP2) and Konqueror (tested on V3.3.2). BACKGROUND SQL Injection: SQL injection describes the inclusion of additional SQL database query language statements into an existing query as carried out by a web application. A common attack vector is the injection of user-supplied arbitrary SQL statements into the applications' databse queries. Failure to completely sanitize user input from malicious content can cause a web application to be vulnerable to SQL Injection. http://en.wikipedia.org/wiki/SQL_injection http://www.cgisecurity.com/questions/sql.shtml Cross Site Scripting (XSS): Cross Site Scripting, also known as XSS or CSS, describes the injection of malicious content into output produced by a web application. A common attack vector is the inclusion of arbitrary client side script code into the applications' output. Failure to completely sanitize user input from malicious content can cause a web application to be vulnerable to Cross Site Scripting. http://en.wikipedia.org/wiki/XSS http://www.cgisecurity.net/articles/xss-faq.shtml WORKAROUNDS Issues 1-3: Client: Disable Javascript. Server: Prevent access to vulnerable file(s). Issue 4: Client: Right-click on disk logo and select to download to file ('save as'). Server: Change configuration to force file download. Admin interface -> SysConfig -> Framework -> Core::Web -> AttachmentDownloadType -> "attachment". Issues 5-6: Client: N/A Server: Prevent access to vulnerable file(s). SOLUTIONS OTRS has released versions 2.0.4 and 1.3.3 today. These are supposed to fix all of the above issues. The updated packages are available at ftp://ftp.otrs.org/pub/otrs/ TIMELINE Oct 17, 2005 Issue 1: Discovery, code maintainer notification Oct 17, 2005 Issue 1: Code maintainer acknowledgement Oct 17, 2005 Issue 4: Discovery, code maintainer notification Oct 17, 2005 Issue 4: Code maintainer acknowledgement Oct 18, 2005 Issue 5: Discovery, code maintainer notification Oct 18, 2005 Issue 5: Discovery, code maintainer notification Oct 18, 2005 Issue 2: Discovery, code maintainer notification Oct 18, 2005 Issue 3: Discovery, code maintainer notification Oct 30, 2005 Issue 6: Discovery, code maintainer notification Oct 31, 2005 Issue 2: Code maintainer acknowledgement Oct 31, 2005 Issue 3: Code maintainer acknowledgement Nov 22, 2005 Issues 1-6: Code maintainer provides fix Nov 22, 2005 Issues 1-6: Coordinated release & publication REFERENCES OTRS Advisory http://otrs.org/advisory/OSA-2005-01-en/ ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDg4qmn6GkvSd/BgwRAkXXAJ9jHNuFo2nSshhc0lcZeDjox0AAjQCfa/Uv wG0B8Y8YgLTMxt0N+u8v/AI= =y8YA -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top