OTRS <= 2.0.x XSS/XSRF

2007-05-08T00:00:00
ID SECURITYVULNS:DOC:16950
Type securityvulns
Reporter Securityvulns
Modified 2007-05-08T00:00:00

Description


| _ . | | \ \ / /||_/ |_ _ | | \ Y / | \ \ \ | \ \ \ \/ / | | \ / | || | \/| | | | // \_> < | | \/ |_||| || |_/( /__/\_ \ | | \/ \/ | | Security without illusions | | www.virtuax.be | | |


                      Application: OTRS
              Vulnerable Versions: &lt;= v2.0.x
                    Vulnerability: XSS/XSRF

                           Vendor: http://www.otrs.org
                    Vendor Status: Notified

                            Found: 07-05-2007
              Public Release Date: 07-05-2007
                    Last modified: 07-05-2007
                           Author: ciri
                           E-mail: ciri[a.t]virtuax[d.o.t]be

   reference: http://www.virtuax.be/advisories/Advisory5-07052007.txt

=================================================================================

Shouts to the VirtuaX Crew & Community!

=================================================================================

I. Background

"OTRS is an Open source Ticket Request System with many features to manage customer telephone calls and e-mails. The system is built to allow your support, sales, pre-sales, billing, internal IT, helpdesk, etc. department to react quickly to inbound inquiries" by otrs.org

II. Vulnerablity

OTRS is vulnerable to a XSS/XSRF. It is possible to inject code into the Subaction parameter. Authentication is required to reach the page, but a non-authenticated user will be asked to login and the attack will still be carried out. XSRF is ofcourse also possible in this case.

IIa. Affected Versions

OTRS 2.0.4 was tested and appears to be vulnerable. I've tested version 2.2.0 and it doesn't seem to be vulnerable anymore.

III. PoC

http://server/otrs/index.pl?Action=AgentTicketMailbox&Subaction=<img src= https://server/otrs/images/Standard/new-message.png onLoad=javascript:alert('hello');>

Copyright 2007 by ciri from Virtuax.be All rights reserved. 1