Security Advisory 2012-03 – XSS vulnerability

 

October 16, 2012 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

GPG Fingerprint 8280 7B65 3F78 39B8 AEF1 EED7 3D15 21D7 7846 E997

 

Security Advisory Details

Vulnerability Description

This Advisory covers vulnerabilities discovered in the OTRS core system.

XSS vulnerability

  • An attacker could send a specially prepared HTML email to OTRS which will cause JavaScript code to be executed when the email is displayed. This is achieved by using javascript source attributes with whitespaces.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to and including 3.1.10.

 

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.15, 3.0.17 and 3.1.11, and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/

Here are detailed informations about the required changes:

Workaround

You can also replace the following files with a fixed version.

OTRS 3.1.x:

  • Kernel/System/HTMLUtils.pm 1.35.2.4

OTRS 3.0.x:

  • Kernel/System/HTMLUtils.pm 1.27.2.6

OTRS 2.4.x:

  • Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.8
  • Kernel/Modules/AgentTicketAttachment.pm 1.22.2.8

 

http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log

However, to avoid unwanted side effects, we recommend a complete update.

Also available on http://source.otrs.org/.