• Date: Nov 22, 2005
• Title: Vulnerabilities in OTRS-Core allows SQL-Injection and Cross-Site-Scripting
• Severity: Critical
• Affected:
  • OTRS Help Desk OTRS 2.x
  • OTRS Help Desk OTRS 1.x
• Fixed in:
  • OTRS Help Desk OTRS 2.0.4
  • OTRS Help Desk OTRS 1.3.3
• Download a fixed release

This Advisory covers three vulnerabilities in the OTRS-System-Core.

SQL-Injection via UNION
Missing security quoting for SQL statements allows agents the manipulation of SQL queries. So it's possible to inject SQL queries via UNION statements. A malicious user may be able to login successfully without valid credentials. Authentication mechanisms other than the database backend authentication are not affected. Authenticated users can use this vulnerabilitiy to get records from other OTRS database tables. This informations can be used for other attacks like session hijacking.

Open attachment in new browser window
In default config setting OTRS opens attachments in new browser windows if an agent clicks on the download symbole. An attacker can exploit this vulnerabilitiy by sending manipulated attachments with active script content which will be executed by the browser with user privileges.

Input fields allows injection of script code
Missing HTML quoting allows an agent in a valid session the injection of HTML tags. This vulnerability allows an attacker to inject script code into the OTRS webinterface which will be loaded and executed in users browsers.

Affected by these vulnerabilities are all releases of OTRS 2.x up to and including 2.0.3 and all releases of OTRS 1.x up to and including 1.3.2.