OTRS 1.x/2.x Multiple Security Issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0007
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ OTRS 1.x/2.x Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Nov 22, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
OTRS
http://www.otrs.org/
OTRS, the Open Source Ticket Request System, is a trouble
ticket system which allows for managing customer telephone
calls and e-mails.
AFFECTED VERSIONS
Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up
to and including 1.3.2.
ISSUES
OTRS is subject to multiple security vulnerabilities,
ranging from cross site scripting to SQL injection.
>>> 1. SQL injection #1
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'Login' function. Successful
authentication is NOT required. By injecting a LEFT JOIN
statement into the authentication database SQL query,
an attacker may be able to exploit this issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 2. SQL injection #2
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'AgentTicketPlain' function in the
'TicketID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded. By injecting a LEFT JOIN statement
into the SQL query, an attacker may be able to exploit this
issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 3. SQL injection #3
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'AgentTicketPlain' function in the
'ArticleID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded. By injecting a LEFT JOIN statement
into the SQL query, an attacker may be able to exploit this
issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 4. Cross Site Scripting #1
OTRS is subject to a XSS vulnerability on the file attachment
display function.
An attacker may send malicious code inside an email attachment
of Content-Type "text/html". A queue moderator clicking the
attachment download button (disk symbol) on a ticket created
based on a HTML email will have this attachment rendered by
her browser. Thus, any malicious client side code included in
the HTML attachment will be executed in the security context
of the OTRS domain.
This refers to the default configuration
(AttachmentDownloadType = "inline") but does not apply if
AttachmentDownloadType is set to "attachment".
>>> 5. Cross Site Scripting #2
OTRS is subject to a XSS vulnerability on the queue selection
function.
An attacker may inject arbitrary client side script code into
the 'QueueID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B%3C/script%3E%3Cx%20y=%22
>>> 6. Cross Site Scripting #3
OTRS is subject to a XSS vulnerability on the 'Action'
parameter. An attacker may inject arbitrary client side script
code into this parameter. To exploit this issue, successful
authentication IS required, however, a non-authenticated user
will be prompted for her login credentials and the attack will
still be carried out after the login succeeded.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script><x%20"
This is only exploitable on web browsers which perform limited
URL encoding before submitting user input, such as Internet
Explorer (tested on v6.2900.2180 including all patches on
Windows XP SP2) and Konqueror (tested on V3.3.2).
BACKGROUND
SQL Injection:
SQL injection describes the inclusion of additional SQL
database query language statements into an existing query as
carried out by a web application. A common attack vector is
the injection of user-supplied arbitrary SQL statements into
the applications' databse queries. Failure to completely
sanitize user input from malicious content can cause a web
application to be vulnerable to SQL Injection.
http://en.wikipedia.org/wiki/SQL_injection
http://www.cgisecurity.com/questions/sql.shtml
Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
WORKAROUNDS
Issues 1-3:
Client: Disable Javascript.
Server: Prevent access to vulnerable file(s).
Issue 4:
Client: Right-click on disk logo and select to download
to file ('save as').
Server: Change configuration to force file download.
Admin interface -> SysConfig -> Framework
-> Core::Web -> AttachmentDownloadType
-> "attachment".
Issues 5-6:
Client: N/A
Server: Prevent access to vulnerable file(s).
SOLUTIONS
OTRS has released versions 2.0.4 and 1.3.3 today. These are
supposed to fix all of the above issues. The updated
packages are available at ftp://ftp.otrs.org/pub/otrs/
TIMELINE
Oct 17, 2005 Issue 1: Discovery, code maintainer notification
Oct 17, 2005 Issue 1: Code maintainer acknowledgement
Oct 17, 2005 Issue 4: Discovery, code maintainer notification
Oct 17, 2005 Issue 4: Code maintainer acknowledgement
Oct 18, 2005 Issue 5: Discovery, code maintainer notification
Oct 18, 2005 Issue 5: Discovery, code maintainer notification
Oct 18, 2005 Issue 2: Discovery, code maintainer notification
Oct 18, 2005 Issue 3: Discovery, code maintainer notification
Oct 30, 2005 Issue 6: Discovery, code maintainer notification
Oct 31, 2005 Issue 2: Code maintainer acknowledgement
Oct 31, 2005 Issue 3: Code maintainer acknowledgement
Nov 22, 2005 Issues 1-6: Code maintainer provides fix
Nov 22, 2005 Issues 1-6: Coordinated release & publication
REFERENCES
OTRS Advisory
http://otrs.org/advisory/OSA-2005-01-en/
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDg4qmn6GkvSd/BgwRAkXXAJ9jHNuFo2nSshhc0lcZeDjox0AAjQCfa/Uv
wG0B8Y8YgLTMxt0N+u8v/AI=
=y8YA
-----END PGP SIGNATURE-----