Security Advisory 2010-01

August 16, 2011 -- Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

 

Security Advisory Details

  • Date: Feb 8, 2010
  • Title: Vulnerability in OTRS-Core allows SQL injection
  • Severity: Critical
  • Affected:
    • OTRS Help Desk 2.1.x
    • OTRS Help Desk 2.2.x
    • OTRS Help Desk 2.3.x
    • OTRS Help Desk 2.4.x
  • Fixed in:
    • OTRS Help Desk 2.1.9
    • OTRS Help Desk 2.2.9
    • OTRS Help Desk 2.3.5
    • OTRS Help Desk 2.4.7
  • Download a fixed release
  • Common Vulnerabilities and Exposures: CVE-2010-0438
 
 
 

 

Vulnerability Description

Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements. A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions). To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session. Affected by these vulnerabilities are all releases of OTRS 2.1.x up to and including 2.4.6.

 
 
 
 

Recommended Resolution

These vulnerabilities are fixed in OTRS 2.1.9, OTRS 2.2.9, OTRS 2.3.5 and OTRS 2.4.7, and it is recommended to upgrade to one of these versions.

Workaround

As a workaround it's also possible to replace the file Kernel/System/Ticket.pm by a version that has been fixed:

  • OTRS 2.1.x: v1.233.2.3
  • OTRS 2.2.x: v1.275.2.19
  • OTRS 2.3.x: v1.346.2.9
  • OTRS 2.4.x: v1.416.2.10

(http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log).

 

Report a Vulnerability

security@otrs.org