OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] OTRS 1.x/2.x Multiple Security Issues

From: Moritz Naumann (securitymoritz-naumann.com)
Date: Tue Nov 22 2005 - 15:31:42 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0007

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ OTRS 1.x/2.x Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
  Nov 22, 2005

PUBLISHED AT
  http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
  http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig

PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  SECURITY at MORITZ hyphon NAUMANN d0t COM
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
  OTRS
  http://www.otrs.org/

  OTRS, the Open Source Ticket Request System, is a trouble
  ticket system which allows for managing customer telephone
  calls and e-mails.

AFFECTED VERSIONS
  Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up
  to and including 1.3.2.

ISSUES
  OTRS is subject to multiple security vulnerabilities,
  ranging from cross site scripting to SQL injection.

>>> 1. SQL injection #1
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'Login' function. Successful
  authentication is NOT required. By injecting a LEFT JOIN
  statement into the authentication database SQL query,
  an attacker may be able to exploit this issue.

  The following partial URL demonstrates this issue:
  [OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE]

  This results in an SQL error message being logged in the
  OTRS system log.

>>> 2. SQL injection #2
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'AgentTicketPlain' function in the
  'TicketID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded. By injecting a LEFT JOIN statement
  into the SQL query, an attacker may be able to exploit this
  issue.

  The following partial URL demonstrates this issue:

[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]

  This results in an SQL error message being logged in the
  OTRS system log.

>>> 3. SQL injection #3
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'AgentTicketPlain' function in the
  'ArticleID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded. By injecting a LEFT JOIN statement
  into the SQL query, an attacker may be able to exploit this
  issue.

  The following partial URL demonstrates this issue:

[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]

  This results in an SQL error message being logged in the
  OTRS system log.

>>> 4. Cross Site Scripting #1
  OTRS is subject to a XSS vulnerability on the file attachment
  display function.

  An attacker may send malicious code inside an email attachment
  of Content-Type "text/html". A queue moderator clicking the
  attachment download button (disk symbol) on a ticket created
  based on a HTML email will have this attachment rendered by
  her browser. Thus, any malicious client side code included in
  the HTML attachment will be executed in the security context
  of the OTRS domain.

  This refers to the default configuration
  (AttachmentDownloadType = "inline") but does not apply if
  AttachmentDownloadType is set to "attachment".

>>> 5. Cross Site Scripting #2
  OTRS is subject to a XSS vulnerability on the queue selection
  function.

  An attacker may inject arbitrary client side script code into
  the 'QueueID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded.

  The following partial URL demonstrates this issue:

[OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B%3C/script%3E%3Cx%20y=%22

>>> 6. Cross Site Scripting #3
  OTRS is subject to a XSS vulnerability on the 'Action'
  parameter. An attacker may inject arbitrary client side script
  code into this parameter. To exploit this issue, successful
  authentication IS required, however, a non-authenticated user
  will be prompted for her login credentials and the attack will
  still be carried out after the login succeeded.

  The following partial URL demonstrates this issue:

[OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script><x%20"

  This is only exploitable on web browsers which perform limited
  URL encoding before submitting user input, such as Internet
  Explorer (tested on v6.2900.2180 including all patches on
  Windows XP SP2) and Konqueror (tested on V3.3.2).

BACKGROUND
  SQL Injection:
  SQL injection describes the inclusion of additional SQL
  database query language statements into an existing query as
  carried out by a web application. A common attack vector is
  the injection of user-supplied arbitrary SQL statements into
  the applications' databse queries. Failure to completely
  sanitize user input from malicious content can cause a web
  application to be vulnerable to SQL Injection.

  http://en.wikipedia.org/wiki/SQL_injection
  http://www.cgisecurity.com/questions/sql.shtml

  Cross Site Scripting (XSS):
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content can cause a web application
  to be vulnerable to Cross Site Scripting.

  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml

WORKAROUNDS
  Issues 1-3:
    Client: Disable Javascript.
    Server: Prevent access to vulnerable file(s).
  Issue 4:
    Client: Right-click on disk logo and select to download
            to file ('save as').
    Server: Change configuration to force file download.
            Admin interface -> SysConfig -> Framework
            -> Core::Web -> AttachmentDownloadType
            -> "attachment".
  Issues 5-6:
    Client: N/A
    Server: Prevent access to vulnerable file(s).

SOLUTIONS
  OTRS has released versions 2.0.4 and 1.3.3 today. These are
  supposed to fix all of the above issues. The updated
  packages are available at ftp://ftp.otrs.org/pub/otrs/

TIMELINE
  Oct 17, 2005 Issue 1: Discovery, code maintainer notification
  Oct 17, 2005 Issue 1: Code maintainer acknowledgement
  Oct 17, 2005 Issue 4: Discovery, code maintainer notification
  Oct 17, 2005 Issue 4: Code maintainer acknowledgement
  Oct 18, 2005 Issue 5: Discovery, code maintainer notification
  Oct 18, 2005 Issue 5: Discovery, code maintainer notification
  Oct 18, 2005 Issue 2: Discovery, code maintainer notification
  Oct 18, 2005 Issue 3: Discovery, code maintainer notification
  Oct 30, 2005 Issue 6: Discovery, code maintainer notification
  Oct 31, 2005 Issue 2: Code maintainer acknowledgement
  Oct 31, 2005 Issue 3: Code maintainer acknowledgement
  Nov 22, 2005 Issues 1-6: Code maintainer provides fix
  Nov 22, 2005 Issues 1-6: Coordinated release & publication

REFERENCES
  OTRS Advisory
    http://otrs.org/advisory/OSA-2005-01-en/

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDg449n6GkvSd/BgwRArlHAJ97RAKHHm+Yi9Uc5UQoa7LrswLtegCeKrui
s4Wu0yl9D0h6QxnLpGfy+GA=
=NYvM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/