The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0007
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ OTRS 1.x/2.x Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Nov 22, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
OTRS
http://www.otrs.org/
OTRS, the Open Source Ticket Request System, is a trouble
ticket system which allows for managing customer telephone
calls and e-mails.
AFFECTED VERSIONS
Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up
to and including 1.3.2.
ISSUES
OTRS is subject to multiple security vulnerabilities,
ranging from cross site scripting to SQL injection.
>>> 1. SQL injection #1
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'Login' function. Successful
authentication is NOT required. By injecting a LEFT JOIN
statement into the authentication database SQL query,
an attacker may be able to exploit this issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 2. SQL injection #2
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'AgentTicketPlain' function in the
'TicketID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded. By injecting a LEFT JOIN statement
into the SQL query, an attacker may be able to exploit this
issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&Ticket
ID=1%20[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 3. SQL injection #3
A malicious user may be able to conduct blind SQL code
injection on the OTRS 'AgentTicketPlain' function in the
'ArticleID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded. By injecting a LEFT JOIN statement
into the SQL query, an attacker may be able to exploit this
issue.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&Article
ID=1%20[SQL_HERE]
This results in an SQL error message being logged in the
OTRS system log.
>>> 4. Cross Site Scripting #1
OTRS is subject to a XSS vulnerability on the file attachment
display function.
An attacker may send malicious code inside an email attachment
of Content-Type "text/html". A queue moderator clicking the
attachment download button (disk symbol) on a ticket created
based on a HTML email will have this attachment rendered by
her browser. Thus, any malicious client side code included in
the HTML attachment will be executed in the security context
of the OTRS domain.
This refers to the default configuration
(AttachmentDownloadType = "inline") but does not apply if
AttachmentDownloadType is set to "attachment".
>>> 5. Cross Site Scripting #2
OTRS is subject to a XSS vulnerability on the queue selection
function.
An attacker may inject arbitrary client side script code into
the 'QueueID' parameter. Successful authentication IS required,
however, a non-authenticated user will be prompted for her
login credentials and the attack will still be carried out
after the login succeeded.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B
%3C/script%3E%3Cx%20y=%22
>>> 6. Cross Site Scripting #3
OTRS is subject to a XSS vulnerability on the 'Action'
parameter. An attacker may inject arbitrary client side script
code into this parameter. To exploit this issue, successful
authentication IS required, however, a non-authenticated user
will be prompted for her login credentials and the attack will
still be carried out after the login succeeded.
The following partial URL demonstrates this issue:
[OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script>
<x%20"
This is only exploitable on web browsers which perform limited
URL encoding before submitting user input, such as Internet
Explorer (tested on v6.2900.2180 including all patches on
Windows XP SP2) and Konqueror (tested on V3.3.2).
BACKGROUND
SQL Injection:
SQL injection describes the inclusion of additional SQL
database query language statements into an existing query as
carried out by a web application. A common attack vector is
the injection of user-supplied arbitrary SQL statements into
the applications' databse queries. Failure to completely
sanitize user input from malicious content can cause a web
application to be vulnerable to SQL Injection.
http://en.wikipedia.org/wiki/SQL_injection
http://www.cgisecurity.com/questions/sql.shtml
Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
WORKAROUNDS
Issues 1-3:
Client: Disable Javascript.
Server: Prevent access to vulnerable file(s).
Issue 4:
Client: Right-click on disk logo and select to download
to file ('save as').
Server: Change configuration to force file download.
Admin interface -> SysConfig -> Framework
-> Core::Web -> AttachmentDownloadType
-> "attachment".
Issues 5-6:
Client: N/A
Server: Prevent access to vulnerable file(s).
SOLUTIONS
OTRS has released versions 2.0.4 and 1.3.3 today. These are
supposed to fix all of the above issues. The updated
packages are available at ftp://ftp.otrs.org/pub/otrs/
TIMELINE
Oct 17, 2005 Issue 1: Discovery, code maintainer notification
Oct 17, 2005 Issue 1: Code maintainer acknowledgement
Oct 17, 2005 Issue 4: Discovery, code maintainer notification
Oct 17, 2005 Issue 4: Code maintainer acknowledgement
Oct 18, 2005 Issue 5: Discovery, code maintainer notification
Oct 18, 2005 Issue 5: Discovery, code maintainer notification
Oct 18, 2005 Issue 2: Discovery, code maintainer notification
Oct 18, 2005 Issue 3: Discovery, code maintainer notification
Oct 30, 2005 Issue 6: Discovery, code maintainer notification
Oct 31, 2005 Issue 2: Code maintainer acknowledgement
Oct 31, 2005 Issue 3: Code maintainer acknowledgement
Nov 22, 2005 Issues 1-6: Code maintainer provides fix
Nov 22, 2005 Issues 1-6: Coordinated release & publication
REFERENCES
OTRS Advisory
http://otrs.org/advisory/OSA-2005-01-en/
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDg4qmn6GkvSd/BgwRAkXXAJ9jHNuFo2nSshhc0lcZeDjox0AAjQCfa/Uv
wG0B8Y8YgLTMxt0N+u8v/AI=
=y8YA
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum