[Full-disclosure] OTRS 1.x/2.x Multiple Security Issues

From: Moritz Naumann (security_at_moritz-naumann.com)
Date: 11/22/05

  • Next message: Petko Petkov: "[Full-disclosure] Re: Google Base" 
    Date: Tue, 22 Nov 2005 22:31:42 +0100
To: Full Disclosure <full-disclosure@lists.grok.org.uk>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    SA0007

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++ OTRS 1.x/2.x Multiple Security Issues +++++
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    PUBLISHED ON
      Nov 22, 2005

    PUBLISHED AT
      http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
      http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig

    PUBLISHED BY
      Moritz Naumann IT Consulting & Services
      Hamburg, Germany
      http://moritz-naumann.com/

      SECURITY at MORITZ hyphon NAUMANN d0t COM
      GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

    AFFECTED APPLICATION OR SERVICE
      OTRS
      http://www.otrs.org/

      OTRS, the Open Source Ticket Request System, is a trouble
      ticket system which allows for managing customer telephone
      calls and e-mails.

    AFFECTED VERSIONS
      Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up
      to and including 1.3.2.

    ISSUES
      OTRS is subject to multiple security vulnerabilities,
      ranging from cross site scripting to SQL injection.

    >>> 1. SQL injection #1
      A malicious user may be able to conduct blind SQL code
      injection on the OTRS 'Login' function. Successful
      authentication is NOT required. By injecting a LEFT JOIN
      statement into the authentication database SQL query,
      an attacker may be able to exploit this issue.

      The following partial URL demonstrates this issue:
      [OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE]

      This results in an SQL error message being logged in the
      OTRS system log.

    >>> 2. SQL injection #2
      A malicious user may be able to conduct blind SQL code
      injection on the OTRS 'AgentTicketPlain' function in the
      'TicketID' parameter. Successful authentication IS required,
      however, a non-authenticated user will be prompted for her
      login credentials and the attack will still be carried out
      after the login succeeded. By injecting a LEFT JOIN statement
      into the SQL query, an attacker may be able to exploit this
      issue.

      The following partial URL demonstrates this issue:

    [OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]

      This results in an SQL error message being logged in the
      OTRS system log.

    >>> 3. SQL injection #3
      A malicious user may be able to conduct blind SQL code
      injection on the OTRS 'AgentTicketPlain' function in the
      'ArticleID' parameter. Successful authentication IS required,
      however, a non-authenticated user will be prompted for her
      login credentials and the attack will still be carried out
      after the login succeeded. By injecting a LEFT JOIN statement
      into the SQL query, an attacker may be able to exploit this
      issue.

      The following partial URL demonstrates this issue:

    [OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]

      This results in an SQL error message being logged in the
      OTRS system log.

    >>> 4. Cross Site Scripting #1
      OTRS is subject to a XSS vulnerability on the file attachment
      display function.

      An attacker may send malicious code inside an email attachment
      of Content-Type "text/html". A queue moderator clicking the
      attachment download button (disk symbol) on a ticket created
      based on a HTML email will have this attachment rendered by
      her browser. Thus, any malicious client side code included in
      the HTML attachment will be executed in the security context
      of the OTRS domain.

      This refers to the default configuration
      (AttachmentDownloadType = "inline") but does not apply if
      AttachmentDownloadType is set to "attachment".

    >>> 5. Cross Site Scripting #2
      OTRS is subject to a XSS vulnerability on the queue selection
      function.

      An attacker may inject arbitrary client side script code into
      the 'QueueID' parameter. Successful authentication IS required,
      however, a non-authenticated user will be prompted for her
      login credentials and the attack will still be carried out
      after the login succeeded.

      The following partial URL demonstrates this issue:

    [OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B%3C/script%3E%3Cx%20y=%22

    >>> 6. Cross Site Scripting #3
      OTRS is subject to a XSS vulnerability on the 'Action'
      parameter. An attacker may inject arbitrary client side script
      code into this parameter. To exploit this issue, successful
      authentication IS required, however, a non-authenticated user
      will be prompted for her login credentials and the attack will
      still be carried out after the login succeeded.

      The following partial URL demonstrates this issue:

    [OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script><x%20"

      This is only exploitable on web browsers which perform limited
      URL encoding before submitting user input, such as Internet
      Explorer (tested on v6.2900.2180 including all patches on
      Windows XP SP2) and Konqueror (tested on V3.3.2).

    BACKGROUND
      SQL Injection:
      SQL injection describes the inclusion of additional SQL
      database query language statements into an existing query as
      carried out by a web application. A common attack vector is
      the injection of user-supplied arbitrary SQL statements into
      the applications' databse queries. Failure to completely
      sanitize user input from malicious content can cause a web
      application to be vulnerable to SQL Injection.

      http://en.wikipedia.org/wiki/SQL_injection
      http://www.cgisecurity.com/questions/sql.shtml

      Cross Site Scripting (XSS):
      Cross Site Scripting, also known as XSS or CSS, describes
      the injection of malicious content into output produced
      by a web application. A common attack vector is the
      inclusion of arbitrary client side script code into the
      applications' output. Failure to completely sanitize user
      input from malicious content can cause a web application
      to be vulnerable to Cross Site Scripting.

      http://en.wikipedia.org/wiki/XSS
      http://www.cgisecurity.net/articles/xss-faq.shtml

    WORKAROUNDS
      Issues 1-3:
        Client: Disable Javascript.
        Server: Prevent access to vulnerable file(s).
      Issue 4:
        Client: Right-click on disk logo and select to download
                to file ('save as').
        Server: Change configuration to force file download.
                Admin interface -> SysConfig -> Framework
                -> Core::Web -> AttachmentDownloadType
                -> "attachment".
      Issues 5-6:
        Client: N/A
        Server: Prevent access to vulnerable file(s).

    SOLUTIONS
      OTRS has released versions 2.0.4 and 1.3.3 today. These are
      supposed to fix all of the above issues. The updated
      packages are available at ftp://ftp.otrs.org/pub/otrs/

    TIMELINE
      Oct 17, 2005 Issue 1: Discovery, code maintainer notification
      Oct 17, 2005 Issue 1: Code maintainer acknowledgement
      Oct 17, 2005 Issue 4: Discovery, code maintainer notification
      Oct 17, 2005 Issue 4: Code maintainer acknowledgement
      Oct 18, 2005 Issue 5: Discovery, code maintainer notification
      Oct 18, 2005 Issue 5: Discovery, code maintainer notification
      Oct 18, 2005 Issue 2: Discovery, code maintainer notification
      Oct 18, 2005 Issue 3: Discovery, code maintainer notification
      Oct 30, 2005 Issue 6: Discovery, code maintainer notification
      Oct 31, 2005 Issue 2: Code maintainer acknowledgement
      Oct 31, 2005 Issue 3: Code maintainer acknowledgement
      Nov 22, 2005 Issues 1-6: Code maintainer provides fix
      Nov 22, 2005 Issues 1-6: Coordinated release & publication

    REFERENCES
      OTRS Advisory
        http://otrs.org/advisory/OSA-2005-01-en/

    ADDITIONAL CREDIT
      N/A

    LICENSE
      Creative Commons Attribution-ShareAlike License Germany
      http://creativecommons.org/licenses/by-sa/2.0/de/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)

    iD8DBQFDg449n6GkvSd/BgwRArlHAJ97RAKHHm+Yi9Uc5UQoa7LrswLtegCeKrui
    s4Wu0yl9D0h6QxnLpGfy+GA=
    =NYvM
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Petko Petkov: "[Full-disclosure] Re: Google Base"