OTRS Install Dialog Disclosure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2017-018  
Product: OTRS  
Manufacturer: OTRS  
Affected Version(s): OTRS 5.0.x, OTRS 4.0.x, OTRS 3.3.x  
Fixed Version(s): OTRS 5.0.20, OTRS 4.0.24, OTRS 3.3.17  
Tested Version(s): 5.0.19  
Vulnerability Type: Access to Installation Dialog  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2017-05-30  
Solution Date: 2017-06-06  
Public Disclosure: 2017-06-08  
CVE Reference: CVE-2017-9324  
Author of Advisory: Sebastian Auwarter, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
OTRS is a ticket management system.  
  
The manufacturer describes the product as follows (see [1]):  
  
"OTRS is one of the most flexible web-based ticketing systems used for   
Customer Service, Help Desk, IT Service Management. With a fast   
implementation and easy customization to your needs it helps you   
reducing costs and increasing the efficiency and transparency of your   
business communication."  
  
Due to insufficient checking of privileges, it is possible to access   
the OTRS Install dialog of an already installed instance, which enables   
an authenticated attacker to change the database settings, superuser   
password, mail server settings, log file location and other parameters.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The recommended way to install OTRS is to use the installation dialog   
found at http://vulnerablehost/otrs/installer.pl. After successful   
installation, OTRS prevents further use of this installer. Any   
authenticated user can access the installation functionality of OTRS   
by referencing the installer via a crafted url. The URLs that can be   
used to access the installer can be one of the following:  
  
* http://vulnerablehost/otrs/index.pl?Action=Installer  
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Intro  
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Start  
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=System  
  
At the end of each "installation" step, the user is redirected to the   
start page. Therefore, the next step of the installation dialog must be   
called directly using the Intro, Start (Database) or System subaction,   
respectively.  
  
By Using the installer tool, an attacker can change a variety of   
parameters, including the superuser password, database settings, mail   
server settings, log file location and instance ID.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
On a newly installed instance of OTRS, logged in as any valid user,   
navigate to index.pl?Action=Installer;Subaction=Start to change the   
database parameters or to index.pl?Action=Installer;Subaction=System to   
get a superuser password.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
This vulnerability is fixed in the latest versions of OTRS, and it is   
recommended to upgrade to the latest patch level.  
  
Fixed releases can be found at:  
  
https://www.otrs.com/category/release-and-security-notes-en/   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2017-05-30: Vulnerability discovered  
2017-05-30: Vulnerability reported to manufacturer by project member  
2017-06-06: Vulnerability reported to manufacturer via security   
advisory  
2017-06-06: Fix provided by manufacturer  
2017-06-06: Vulnerability disclosed by manufacturer  
2017-06-08: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for OTRS  
https://www.otrs.com/  
[2] SySS Security Advisory SYSS-2017-018  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-018.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Auwarter of SySS  
GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc  
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJZORr6AAoJEOmjDUji8Ki2Lt0P/iZ6DLr1ezWAhEHLxEdsrmGT  
OTpXaT3ANvvzWf4HH5NsIF/Q+kZAymNsW53MXxLJA0wZCj9t5cKR4UHptgd83W0h  
oNe3yOnYWPMf0L25PqNBy0wWVLLKL2Zme3xhSEYiEmbOCYERjr6IeX5td1i+PwwC  
wOkrYt/98o+XwtkMk25QyrQ0/IypNescPX2wj6zkOHkv0FcZUDsrAyOPFYBEyQ9q  
7VUnNnUZlZK5h8hJZQ63c+5I/Ql5FxqtzPdkiZeYkj3oavaipWTKm2goCFzU8fA1  
V1V5/ohQNd1Rk5sH+0NtC3KIMhbCA2hmH586jyDAgtZg6oRPXrHM4wFZE2SICKWy  
HeXIc1HUs6cvPFkFaxTNFL3Grb5NBuDBGxgwC7IQQ23pR3vYU3ckXC7UOj69sYSS  
bvGtcleYU17J7ND3YgQeVzMr58S/9i/mhZ/ya4WIGCp+9zh4YZiKzGK0PqFON+nn  
OQrQBLTwwTZz/VJJyWeaNWc7m4R4BXwi/BeYlAV3t51srWwCUV23NxDEXjKu4TZ7  
0f93N0qYcSpVi0CIwPtA5IDTVNhOWSLzeco1zitJvDq5V9l4gbyAISXOFV12RxSh  
cduM6hUc6ALp1UziHQRpD8xUhFbF03WVysN5wHXrM9+d+TaVZ92KOaCv6VIWDVBh  
63bQpoUQZ8L4LfzusTTl  
=EuyE  
-----END PGP SIGNATURE-----  
`