Security Advisory 2005-01 – Vulnerabilities in OTRS-Core allows SQL-Injection and Cross-Site-Scripting

November 22, 2005 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

Security Advisory Details

  • Date: Nov 22, 2005
  • Title: Vulnerabilities in OTRS-Core allows SQL-Injection and Cross-Site-Scripting
  • Severity: Critical
  • Affected:
    OTRS Help Desk OTRS 2.x
    OTRS Help Desk OTRS 1.x
  • Fixed in:
    OTRS Help Desk OTRS 2.0.4
    OTRS Help Desk OTRS 1.3.3

Vulnerability Description

This Advisory covers three vulnerabilities in the OTRS-System-Core.

SQL-Injection via UNION
Missing security quoting for SQL statements allows agents the manipulation of SQL queries. So it’s possible to inject SQL queries via UNION statements. A malicious user may be able to login successfully without valid credentials. Authentication mechanisms other than the database backend authentication are not affected. Authenticated users can use this vulnerabilitiy to get records from other OTRS database tables. This informations can be used for other attacks like session hijacking.

Open attachment in new browser window
In default config setting OTRS opens attachments in new browser windows if an agent clicks on the download symbole. An attacker can exploit this vulnerabilitiy by sending manipulated attachments with active script content which will be executed by the browser with user privileges.

Input fields allows injection of script code
Missing HTML quoting allows an agent in a valid session the injection of HTML tags. This vulnerability allows an attacker to inject script code into the OTRS webinterface which will be loaded and executed in users browsers.

Affected by these vulnerabilities are all releases of OTRS 2.x up to and including 2.0.3 and all releases of OTRS 1.x up to and including 1.3.2.

Recommended Resolution

These vulnerabilities are fixed in OTRS 2.0.4 and OTRS 1.3.3, and it is recommended to upgrade to one of these versions.

Workaround

As a workaround for vulnerability #2 it’s possible to disable the ‚open attachments in a browser window‘ feature by changing the config setting „AttachmentDownloadType = attachment“.

However, to avoid unwanted side effects, we recommend a complete update.