OTRS 2.0 - AgentTicketPlain Action Multiple Parameter SQL Injection
2005-11-22T00:00:00
ID EDB-ID:26551 Type exploitdb Reporter Moritz Naumann Modified 2005-11-22T00:00:00
Description
OTRS 2.0 AgentTicketPlain Action Multiple Parameter SQL Injection. CVE-2005-3893. Webapps exploit for cgi platform
source: http://www.securityfocus.com/bid/15537/info
OTRS is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
The application is prone to multiple SQL-injection vulnerabilities, an HTML-injection vulnerability, and multiple cross-site scripting vulnerabilities.
http://www.example.com/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]
http://www.example.com/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]
{"id": "EDB-ID:26551", "hash": "02949b0293fa72df626f325b27f7ffc9", "type": "exploitdb", "bulletinFamily": "exploit", "title": "OTRS 2.0 - AgentTicketPlain Action Multiple Parameter SQL Injection", "description": "OTRS 2.0 AgentTicketPlain Action Multiple Parameter SQL Injection. CVE-2005-3893. Webapps exploit for cgi platform", "published": "2005-11-22T00:00:00", "modified": "2005-11-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/26551/", "reporter": "Moritz Naumann", "references": [], "cvelist": ["CVE-2005-3893"], "lastseen": "2016-02-03T03:50:33", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2016-02-03T03:50:33"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3893"]}, {"type": "exploitdb", "idList": ["EDB-ID:26550"]}, {"type": "osvdb", "idList": ["OSVDB:21065", "OSVDB:21064"]}, {"type": "openvas", "idList": ["OPENVAS:56281", "OPENVAS:1361412562310803935"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-973.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-973-1:7FF1E"]}], "modified": "2016-02-03T03:50:33"}, "vulnersScore": 5.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/26551/", "sourceData": "source: http://www.securityfocus.com/bid/15537/info\r\n \r\nOTRS is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n \r\nThe application is prone to multiple SQL-injection vulnerabilities, an HTML-injection vulnerability, and multiple cross-site scripting vulnerabilities. \r\n\r\nhttp://www.example.com/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]\r\nhttp://www.example.com/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]", "osvdbidlist": ["21065"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:15", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action.", "modified": "2017-07-20T01:29:00", "id": "CVE-2005-3893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3893", "published": "2005-11-29T21:03:00", "title": "CVE-2005-3893", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "description": "## Vulnerability Description\nOTRS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login function not properly sanitizing user-supplied input to the 'user' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 2.0.4 or higher or 1.3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOTRS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login function not properly sanitizing user-supplied input to the 'user' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/index.pl?Action=Login&User=%27[SQL_HERE]\n## References:\nVendor URL: http://www.otrs.org/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2006/dsa-973)\nSecurity Tracker: 1015262\n[Secunia Advisory ID:18101](https://secuniaresearch.flexerasoftware.com/advisories/18101/)\n[Secunia Advisory ID:18887](https://secuniaresearch.flexerasoftware.com/advisories/18887/)\n[Secunia Advisory ID:17685](https://secuniaresearch.flexerasoftware.com/advisories/17685/)\n[Related OSVDB ID: 21065](https://vulners.com/osvdb/OSVDB:21065)\n[Related OSVDB ID: 21066](https://vulners.com/osvdb/OSVDB:21066)\n[Related OSVDB ID: 21067](https://vulners.com/osvdb/OSVDB:21067)\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_30_sr.html\nOther Advisory URL: http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0705.html\n[CVE-2005-3893](https://vulners.com/cve/CVE-2005-3893)\nBugtraq ID: 15537\n", "modified": "2005-11-22T11:56:10", "published": "2005-11-22T11:56:10", "href": "https://vulners.com/osvdb/OSVDB:21064", "id": "OSVDB:21064", "title": "OTRS (Open Ticket Request System) Login Function User Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "description": "## Vulnerability Description\nOTRS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the AgentTicketPlain function not properly sanitizing user-supplied input to the 'TicketID' and 'ArticleID' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 2.0.4 or higher or 1.3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOTRS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the AgentTicketPlain function not properly sanitizing user-supplied input to the 'TicketID' and 'ArticleID' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&TicketID=1%20[SQL_HERE]\nhttp://[target]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&ArticleID=1%20[SQL_HERE]\n## References:\nVendor URL: http://www.otrs.org/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2006/dsa-973)\nSecurity Tracker: 1015262\n[Secunia Advisory ID:18101](https://secuniaresearch.flexerasoftware.com/advisories/18101/)\n[Secunia Advisory ID:18887](https://secuniaresearch.flexerasoftware.com/advisories/18887/)\n[Secunia Advisory ID:17685](https://secuniaresearch.flexerasoftware.com/advisories/17685/)\n[Related OSVDB ID: 21066](https://vulners.com/osvdb/OSVDB:21066)\n[Related OSVDB ID: 21067](https://vulners.com/osvdb/OSVDB:21067)\n[Related OSVDB ID: 21064](https://vulners.com/osvdb/OSVDB:21064)\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_30_sr.html\nOther Advisory URL: http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0705.html\n[CVE-2005-3893](https://vulners.com/cve/CVE-2005-3893)\nBugtraq ID: 15537\n", "modified": "2005-11-22T11:56:10", "published": "2005-11-22T11:56:10", "href": "https://vulners.com/osvdb/OSVDB:21065", "id": "OSVDB:21065", "title": "OTRS (Open Ticket Request System) AgentTicketPlain Action Multiple Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T03:50:26", "bulletinFamily": "exploit", "description": "OTRS 2.0 Login Function User Parameter SQL Injection. CVE-2005-3893. Webapps exploit for cgi platform", "modified": "2005-11-22T00:00:00", "published": "2005-11-22T00:00:00", "id": "EDB-ID:26550", "href": "https://www.exploit-db.com/exploits/26550/", "type": "exploitdb", "title": "OTRS 2.0 - Login Function User Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/15537/info\r\n\r\nOTRS is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n\r\nThe application is prone to multiple SQL-injection vulnerabilities, an HTML-injection vulnerability, and multiple cross-site scripting vulnerabilities. \r\n\r\nhttp://www.example.com/index.pl?Action=Login&User=%27[SQL_HERE]", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26550/"}], "openvas": [{"lastseen": "2019-08-31T17:23:41", "bulletinFamily": "scanner", "description": "This host is installed with OTRS (Open Ticket Request System) and is prone to\n multiple input validation vulnerabilities.", "modified": "2019-08-30T00:00:00", "published": "2013-09-25T00:00:00", "id": "OPENVAS:1361412562310803935", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803935", "title": "OTRS Multiple Input Validation Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OTRS Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:otrs:otrs\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803935\");\n script_version(\"2019-08-30T12:23:10+0000\");\n script_cve_id(\"CVE-2005-3893\", \"CVE-2005-3894\", \"CVE-2005-3895\");\n script_bugtraq_id(15537);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-30 12:23:10 +0000 (Fri, 30 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-09-25 15:32:50 +0530 (Wed, 25 Sep 2013)\");\n script_name(\"OTRS Multiple Input Validation Vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to steal the victim's\n cookie-based authentication credentials or execute arbitrary SQL commands and bypass authentication.\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to login with provided credentials and sends a crafted HTTP\n GET request to check if it is possible to conduct an XSS attack.\");\n\n script_tag(name:\"insight\", value:\"Multiple error exists in the application which fails to validate below user-supplied\n input's properly:\n\n For XSS attack (1) QueueID parameter and (2) Action parameters (3) AttachmentDownloadType.\n\n For SQL attack (1) user parameter (2) TicketID and (3) ArticleID parameters.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OTRS (Open Ticket Request System) version 1.3.3 or 2.0.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is installed with OTRS (Open Ticket Request System) and is prone to\n multiple input validation vulnerabilities.\");\n\n script_tag(name:\"affected\", value:\"OTRS (Open Ticket Request System) version 1.0.0 through 1.3.2 and 2.0.0\n through 2.0.3.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/17685\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/15537\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/34164\");\n script_xref(name:\"URL\", value:\"http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2005-01/\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"logins.nasl\", \"secpod_otrs_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"OTRS/installed\", \"http/login\");\n exit(0);\n}\n\ninclude(\"url_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nfunction get_otrs_login_cookie(location, otrsport, otrshost)\n{\n url = location + \"/index.pl?\";\n username = urlencode(str:get_kb_item(\"http/login\"));\n password = urlencode(str:get_kb_item(\"http/password\"));\n payload = \"Action=Login&RequestedURL=&Lang=en&TimeOffset=-330&User=\" + username + \"&Password=\" + password;\n\n req = string(\"POST \",url,\" HTTP/1.0\\r\\n\",\n \"Host: \",otrshost,\" \\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Referer: http://\",otrshost,location,\"/index.pl\\r\\n\",\n \"Connection: keep-alive\\r\\n\",\n \"Content-Length: \", strlen(payload),\"\\r\\n\\r\\n\",\n payload);\n\n buf = http_keepalive_send_recv(port:otrsport, data:req);\n if(!buf)\n exit(0);\n\n cookie = eregmatch(pattern:\"Set-Cookie: Session=([a-z0-9]+)\", string:buf);\n if(!cookie[1])\n exit(0);\n\n return cookie[1];\n}\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!loca = get_app_location(cpe:CPE, port:port));\n exit(0);\n\nif(loca == \"/\")\n loca = \"\";\n\nhost = http_host_name(port:port);\ncookie = get_otrs_login_cookie(location:loca, otrsport:port, otrshost:host);\n\nif(cookie)\n{\n url = loca + '/index.pl?QueueID=\"><script>alert(document.cookie)</script>\"';\n req = string(\"GET \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \" \\r\\n\",\n \"Connection: keep-alive\\r\\n\",\n \"Cookie: Session=\", cookie, \"\\r\\n\\r\\n\");\n\n res = http_send_recv(port:port, data:req);\n\n if(ereg(pattern:\"^HTTP/1\\.[01] 200\", string:res) &&\n \"<script>alert(document.cookie)</script>\" >< res && \"Logout\" >< res)\n {\n report = report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "description": "The remote host is missing an update to otrs\nannounced via advisory DSA 973-1.\n\nSeveral vulnerabilities have been discovered in otrs, the Open Ticket\nRequest System, that can be exploited remotely. The Common\nvulnerabilities and Exposures Project identifies the following\nproblems:\n\nCVE-2005-3893\nMultiple SQL injection vulnerabilities allow remote attackers to\nexecute arbitrary SQL commands and bypass authentication.\n\nCVE-2005-3894\nMultiple cross-site scripting vulnerabilities allow remote\nauthenticated users to inject arbitrary web script or HTML.\n\nCVE-2005-3895\nInternally attached text/html mails are rendered as HTML when the\nqueue moderator attempts to download the attachment, which allows\nremote attackers to execute arbitrary web script or HTML.\n\nthe old stable distribution (woody) does not contain OTRS packages.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=56281", "id": "OPENVAS:56281", "title": "Debian Security Advisory DSA 973-1 (otrs)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_973_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 973-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 1.3.2p01-6.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.0.4p01-1.\n\nWe recommend that you upgrade your otrs package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20973-1\";\ntag_summary = \"The remote host is missing an update to otrs\nannounced via advisory DSA 973-1.\n\nSeveral vulnerabilities have been discovered in otrs, the Open Ticket\nRequest System, that can be exploited remotely. The Common\nvulnerabilities and Exposures Project identifies the following\nproblems:\n\nCVE-2005-3893\nMultiple SQL injection vulnerabilities allow remote attackers to\nexecute arbitrary SQL commands and bypass authentication.\n\nCVE-2005-3894\nMultiple cross-site scripting vulnerabilities allow remote\nauthenticated users to inject arbitrary web script or HTML.\n\nCVE-2005-3895\nInternally attached text/html mails are rendered as HTML when the\nqueue moderator attempts to download the attachment, which allows\nremote attackers to execute arbitrary web script or HTML.\n\nthe old stable distribution (woody) does not contain OTRS packages.\";\n\n\nif(description)\n{\n script_id(56281);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:07:13 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-3893\", \"CVE-2005-3894\", \"CVE-2005-3895\");\n script_bugtraq_id(15537);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 973-1 (otrs)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"otrs-doc-de\", ver:\"1.3.2p01-6\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"otrs-doc-en\", ver:\"1.3.2p01-6\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"otrs\", ver:\"1.3.2p01-6\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-01T02:25:56", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in otrs, the Open Ticket\nRequest System, that can be exploited remotely. The Common\nVulnerabilities and Exposures Project identifies the following\nproblems :\n\n - CVE-2005-3893\n Multiple SQL injection vulnerabilities allow remote\n attackers to execute arbitrary SQL commands and bypass\n authentication.\n\n - CVE-2005-3894\n Multiple cross-site scripting vulnerabilities allow\n remote authenticated users to inject arbitrary web\n script or HTML.\n\n - CVE-2005-3895\n Internally attached text/html mails are rendered as HTML\n when the queue moderator attempts to download the\n attachment, which allows remote attackers to execute\n arbitrary web script or HTML.", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DSA-973.NASL", "href": "https://www.tenable.com/plugins/nessus/22839", "published": "2006-10-14T00:00:00", "title": "Debian DSA-973-1 : otrs - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-973. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22839);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/08/02 13:32:20\");\n\n script_cve_id(\"CVE-2005-3893\", \"CVE-2005-3894\", \"CVE-2005-3895\");\n script_bugtraq_id(15537);\n script_xref(name:\"DSA\", value:\"973\");\n\n script_name(english:\"Debian DSA-973-1 : otrs - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in otrs, the Open Ticket\nRequest System, that can be exploited remotely. The Common\nVulnerabilities and Exposures Project identifies the following\nproblems :\n\n - CVE-2005-3893\n Multiple SQL injection vulnerabilities allow remote\n attackers to execute arbitrary SQL commands and bypass\n authentication.\n\n - CVE-2005-3894\n Multiple cross-site scripting vulnerabilities allow\n remote authenticated users to inject arbitrary web\n script or HTML.\n\n - CVE-2005-3895\n Internally attached text/html mails are rendered as HTML\n when the queue moderator attempts to download the\n attachment, which allows remote attackers to execute\n arbitrary web script or HTML.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2005-3893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2005-3894\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2005-3895\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-973\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the otrs package.\n\nThe old stable distribution (woody) does not contain OTRS packages.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.3.2p01-6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:otrs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"otrs\", reference:\"1.3.2p01-6\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"otrs-doc-de\", reference:\"1.3.2p01-6\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"otrs-doc-en\", reference:\"1.3.2p01-6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:21:34", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 973-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 15th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : otrs\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE IDs : CVE-2005-3893 CVE-2005-3894 CVE-2005-3895\nBugTraq ID : 15537\nDebian Bug : 340352\n\nSeveral vulnerabilities have been discovered in otrs, the Open Ticket\nRequest System, that can be exploited remotely. The Common\nvulnerabilities and Exposures Project identifies the following\nproblems:\n\nCVE-2005-3893\n\n Multiple SQL injection vulnerabilities allow remote attackers to\n execute arbitrary SQL commands and bypass authentication.\n\nCVE-2005-3894\n\n Multiple cross-site scripting vulnerabilities allow remote\n authenticated users to inject arbitrary web script or HTML.\n\nCVE-2005-3895\n\n Internally attached text/html mails are rendered as HTML when the\n queue moderator attempts to download the attachment, which allows\n remote attackers to execute arbitrary web script or HTML.\n\nthe old stable distribution (woody) does not contain OTRS packages.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.3.2p01-6.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.0.4p01-1.\n\nWe recommend that you upgrade your otrs package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6.dsc\n Size/MD5 checksum: 600 0dd0acec3580502a8f9ecf061ed931de\n http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6.diff.gz\n Size/MD5 checksum: 15917 f94589b636198b60b76d36ce074dc04f\n http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01.orig.tar.gz\n Size/MD5 checksum: 6639786 8861ace308c6f058b331fbd0e8437f0c\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/o/otrs/otrs-doc-de_1.3.2p01-6_all.deb\n Size/MD5 checksum: 3005222 9783133f230474fabdca9b6fa30ea1d9\n http://security.debian.org/pool/updates/main/o/otrs/otrs-doc-en_1.3.2p01-6_all.deb\n Size/MD5 checksum: 2312748 2cd8499682e6b4a5fd3ad7472329a3da\n http://security.debian.org/pool/updates/main/o/otrs/otrs_1.3.2p01-6_all.deb\n Size/MD5 checksum: 920580 c29a6b599e31d7b5a847f2f74b658a3c\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2006-02-15T00:00:00", "published": "2006-02-15T00:00:00", "id": "DEBIAN:DSA-973-1:7FF1E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00050.html", "title": "[SECURITY] [DSA 973-1] New OTRS packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}