Security Advisory 2011-01 – Several XSS attacks possible

 

 

April 04, 2011 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

 

Security Advisory Details

  • Date: Apr 04, 2011
  • Title: Several XSS attacks possible
  • Severity: Less Critical
  • Affected:
    – OTRS Help Desk 2.4.x, 3.0.x
  • Fixed in:
    – OTRS Help Desk 2.4.10, 3.0.7
  • URL: http://otrs.org/advisory/OSA-2011-01-en/
  • CVE: CVE-2011-1518

Vulnerability Description

This Advisory covers vulnerabilities discovered in the OTRS core system.

Several XSS attacks possible

  • An attacker could trick a logged in user to following a prepared URL inside of the OTRS system which causes a page to be shown that possibly includes malicious JavaScript code because of incorrect escaping during the generation of the HTML page.

 

Recommended Resolution

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.9, as well as all 3.0.x versions up to and including 3.0.6. This vulnerability is fixed in OTRS 2.4.10 and OTRS 3.0.7, and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: https://community.otrs.com/category/release-notes-help-desk-2/

Here are detailed informations about the required changes:

Workaround

As a workaround it is also possible to replace the following files with a fixed version.

OTRS 2.4.x:

  • Kernel/Output/HTML/Standard/Warning.dtl 1.9.2.1
  • Kernel/Output/HTML/Standard/Error.dtl 1.19.2.1
  • Kernel/Output/HTML/Standard/CustomerError.dtl 1.9.2.1
  • Kernel/Output/HTML/Lite/Warning.dtl 1.10.2.1
  • Kernel/Output/HTML/Layout.pm 1.176.2.25

OTRS 3.0.x:

  • Kernel/Output/HTML/Standard/CustomerError.dtl 1.11.2.1
  • Kernel/Output/HTML/Standard/CustomerFooter.dtl 1.40.2.4
  • Kernel/Output/HTML/Standard/CustomerWarning.dtl 1.13.2.1
  • Kernel/Output/HTML/Standard/CustomerTicketSearchResultShort.dtl 1.35.2.1
  • Kernel/Output/HTML/Standard/FooterJS.dtl 1.26.2.3
  • Kernel/Output/HTML/Standard/Error.dtl 1.29.2.1
  • Kernel/Output/HTML/Standard/Warning.dtl 1.16.2.1
  • Kernel/Output/HTML/Layout.pm 1.351.2.5

http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log

However, to avoid unwanted side effects, we recommend a complete update.

Also available on http://source.otrs.org/.

Please send information regarding vulnerabilities in OTRS to security@otrs.org.

Many thanks to Szymon Sobczyk for discovering and reporting this vulnerabilitiy.