Security Advisory 2012-03

Oktober 16, 2012 -- Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

 

Security Advisory Details

 
 
 

 

Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email. In this case this is achieved by using javascript source attributes with whitespaces.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to and including 3.1.10.

 
 
 
 

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.15, 3.0.17 and 3.1.11, and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: http://www.otrs.com/open-source/community-news/releases-notes/

You can also replace the following files with a fixed version, which are available at http://source.otrs.org/

OTRS 3.1.x:

  • Kernel/System/HTMLUtils.pm 1.35.2.4

OTRS 3.0.x:

  • Kernel/System/HTMLUtils.pm 1.27.2.6

OTRS 2.4.x:

  • Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.8
  • Kernel/Modules/AgentTicketAttachment.pm 1.22.2.8


For OTRS versions older than 3.0.12, you also need to update AgentTicketZoom.pm. This is because of bugfix #7005 in 3.0.12, where both files (.pm and .dtl) were affected.

So please update the .pm file to: AgentTicketZoom.pm 1.145.2.5, which is available at http://source.otrs.org/viewvc.cgi/otrs/Kernel/Module/AgentTicketZoom.pm?revision=1.145.2.5&view=markup&pathrev=rel-3_0

However, to avoid unwanted side effects, we recommend a complete update.

 

 

Report a Vulnerability

security@otrs.org

PGP Key

pub  2048R/9C227C6B 2011-03-21 [expires at: 2014-03-20]

uid  OTRS Security Team <security@otrs.org>


Fingerprint  E330 4608 DA6E 34B7 1551  C244 7F9E 44E9 9C22 7C6B