javascript in articles: a security threat?
Hi all, I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert. I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security. I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html. Kind regards, Juan Clavero
Hi Juan, customer articles are displayed differently in OTRS, inline content is not shown by default. Regards, mg Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón:
Hi all,
I just discovered an agent adding a note to a ticket. the only text in the note was: "<script>alert("Hi");</script>". when you open the ticket, the javascript code executes and you get the "Hi" alert.
I'm not much of a webadmin, I'm more a developer, I'm not that much into web-server security.
I'd like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email's mime type was text/html.
* *
*Kind regards,*
*Juan Clavero*
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
-- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1
Thanks mg So it just leaves us with the code our agents may leave in an article. Can this be a security thread? Kind regards, Juan Clavero De: Martin Gruner [mailto:martin.gruner@otrs.com] Enviado el: lunes, 04 de junio de 2012 10:04 Para: User questions and discussions about OTRS. Asunto: Re: [otrs] javascript in articles: a security threat? Hi Juan, customer articles are displayed differently in OTRS, inline content is not shown by default. Regards, mg Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón: Hi all, I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert. I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security. I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html. Kind regards, Juan Clavero --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs -- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/http://www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen – Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1
Hi Juan, agents could in fact place malicious code. However, since OTRS 3.1, OTRS checks in all places with write access for the so-called ChallengeToken that is unique to the user's session. Only if you have that information, you can make changes to the system. Regards, mg Am 04.06.12 13:43, schrieb Juan Manuel Clavero Almirón:
Thanks mg
So it just leaves us with the code our agents may leave in an article. Can this be a security thread?
* *
*Kind regards**,*
*Juan Clavero*
*De:*Martin Gruner [mailto:martin.gruner@otrs.com] *Enviado el:* lunes, 04 de junio de 2012 10:04 *Para:* User questions and discussions about OTRS. *Asunto:* Re: [otrs] javascript in articles: a security threat?
Hi Juan,
customer articles are displayed differently in OTRS, inline content is not shown by default.
Regards, mg
Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón:
Hi all,
I just discovered an agent adding a note to a ticket. the only text in the note was: "<script>alert("Hi");</script>". when you open the ticket, the javascript code executes and you get the "Hi" alert.
I'm not much of a webadmin, I'm more a developer, I'm not that much into web-server security.
I'd like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email's mime type was text/html.
* *
*Kind regards,*
*Juan Clavero*
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
-- Martin Gruner Senior Developer R&D
OTRS AG Europaring 4 94315 Straubing
T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/ http://www.otrs.com/
Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn
Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1 http://www.otrs.com/index.php?id=2361&L=1
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
-- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1
participants (2)
-
Juan Manuel Clavero Almirón -
Martin Gruner