-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------------- OTRS Security Advisory 2005-01 ----------------------------------------------------------------------- ID: OSA-2005-01 Date: 2005-11-22 Title: Vulnerabilities in OTRS-Core allows SQL-Injection and Cross-Site-Scripting Severity: Critical Product: OTRS 2.x, OTRS 1.x Fixed in: OTRS 2.0.4, OTRS 1.3.3 URL: http://otrs.org/advisory/OSA-2005-01-en/ ----------------------------------------------------------------------- This Advisory covers three vulnerabilities in the OTRS-System-Core. SQL-Injection via UNION Missing security quoting for SQL statements allows agents the manipulation of SQL queries. So it's possible to inject SQL queries via UNION statements. A malicious user may be able to login successfully without valid credentials. Authentication mechanisms other than the database backend authentication are not affected. Authenticated users can use this vulnerabilitiy to get records from other OTRS database tables. This informations can be used for other attacks like session hijacking. Open attachment in new browser window In default config setting OTRS opens attachments in new browser windows if an agent clicks on the download symbole. An attacker can exploit this vulnerabilitiy by sending manipulated attachments with active script content which will be executed by the browser with user privileges. Input fields allows injection of script code Missing HTML quoting allows an agent in a valid session the injection of HTML tags. This vulnerability allows an attacker to inject script code into the OTRS webinterface which will be loaded and executed in users browsers. Affected by these vulnerabilities are all releases of OTRS 2.x up to and including 2.0.3 and all releases of OTRS 1.x up to and including 1.3.2. These vulnerabilities are fixed in OTRS 2.0.4 and OTRS 1.3.3. Fixed OTRS releases can be found at: o ftp://ftp.otrs.org/ As a workaround for vulnerability #2 it's possible to disable the 'open attachments in a browser window' feature by changing the config setting "AttachmentDownloadType = attachment". Please send informations regarding vulnerabilities in OTRS to . Many thanks to Moritz Naumann (Naumann IT Consulting & Services) for discover this vulnerabilities. Copyright (c) OTRS GmbH, http://otrs.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDhBkOuBqJltZnEl4RAoS0AKCCdj6hxEPsR6r8OPGSB0I8aLW9KwCfR84d Lo/mj+BeK9SD9F82VRPKOP8= =ylGb -----END PGP SIGNATURE-----