Hi Daniel,

I subscribe to the OTRS user list, and your OTRS server is unfortunately set up to read all mails sent from OTRS to your personal email account, create a ticket, and respond to the sender. In effect every new mail sent to the OTRS list will create a new ticket in your OTRS, to which you then respond. Could you please check your test system and correct this behavior? You need to be very careful which mail account you retrieve mails from in OTRS and how you auto-respond.

Regards

Rudolf Bargholz
Online Travel Services AG / Jenatschstrasse 1 / 8002 Zürich / Schweiz
Mail: bargholz@onlinetravel.ch<mailto:bargholz@onlinetravel.ch> / Tel.: +41 (44) 2046006 / Fax: +41 (44) 2046009

Von: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] Im Auftrag von Daniel Perez
Gesendet: Mittwoch, 4. Januar 2012 14:40
An: otrs@otrs.org
Betreff: [otrs] [#13]: Re: javascript in articles: a security threat?

User questions and discussions about OTRS.,

Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately.

Ticket ID: 13
Subject: Re: [otrs] javascript in articles: a security threat?
Department: General
Type: Issue
Status: Open
Priority: Normal

You can check the status of or reply to this ticket online at: http://kayakotest.com/index.php?/Tickets/Ticket/View/13

Kind regards,

Test

Ticket History

User questions and discussions about OTRS. (Client) Posted On: 04 June 2012 12:32 PM

---

Hi Juan,

agents could in fact place malicious code. However, since OTRS 3.1, OTRS
checks in all places with write access for the so-called ChallengeToken
that is unique to the user's session. Only if you have that information,
you can make changes to the system.

Regards, mg

Am 04.06.12 13:43, schrieb Juan Manuel Clavero Almirón:
>
> Thanks mg
>
> So it just leaves us with the code our agents may leave in an article.
> Can this be a security thread?
>
>
>
> * *
>
> *Kind regards**,*
>
> *Juan Clavero*
>
>
>
>
>
> *De:*Martin Gruner [mailto:martin.gruner@otrs.com]
> *Enviado el:* lunes, 04 de junio de 2012 10:04
> *Para:* User questions and discussions about OTRS.
> *Asunto:* Re: [otrs] javascript in articles: a security threat?
>
>
>
> Hi Juan,
>
> customer articles are displayed differently in OTRS, inline content is
> not shown by default.
>
> Regards, mg
>
> Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón:
>
> Hi all,
>
>
>
> I just discovered an agent adding a note to a ticket. the only text in
> the note was: "". when you open the
> ticket, the javascript code executes and you get the "Hi" alert.
>
> I'm not much of a webadmin, I'm more a developer, I'm not that much
> into web-server security.
>
> I'd like to know if you think this could be a security risk. Take in
> mind that we are creating tickets from emails, and that this tickets
> will be html if the email's mime type was text/html.
>
> * *
>
> *Kind regards,*
>
> *Juan Clavero*
>
>
>
>
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
>
>
> --
> Martin Gruner
> Senior Developer R&D
>
> OTRS AG
> Europaring 4
> 94315 Straubing
>
> T: +49 (0)6172 681988 0
> F: +49 (0)9421 56818 18
> I: www.otrs.com/ <http://www.otrs.com/>
>
> Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065
> Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn
>
> Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1 <http://www.otrs.com/index.php?id=2361&L=1>
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--
Martin Gruner
Senior Developer R&D

OTRS AG
Europaring 4
94315 Straubing

T: +49 (0)6172 681988 0
F: +49 (0)9421 56818 18
I: www.otrs.com/

Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065
Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn

Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Ticket Details

---

Ticket ID: 13
Department: General
Type: Issue
Status: Open
Priority: Critical

Support Center: http://kayakotest.com/index.php?