| ____ . __ |
| \ \ / /|__|/ | __ _______ ___ |
| \ Y / | \ __ \ \ | \ \ \ \/ / |
| \ / | || | \/| | | | // __ \> < |
| \/ |||| || |/( /_/\_ \ |
| \/ \/ |
| Security without illusions |
| www.virtuax.be |
Application: OTRS
Vulnerable Versions: <= v2.0.x
Vulnerability: XSS/XSRF
Vendor: http://www.otrs.org
Vendor Status: Notified
Found: 07-05-2007
Public Release Date: 07-05-2007
Last modified: 07-05-2007
Author: ciri
E-mail: ciri[a.t]virtuax[d.o.t]be
reference: http://www.virtuax.be/advisories/Advisory5-07052007.txt
=================================================================================
Shouts to the VirtuaX Crew & Community!
=================================================================================
"OTRS is an Open source Ticket Request System with many features to manage customer
telephone calls and e-mails. The system is built to allow your support, sales,
pre-sales, billing, internal IT, helpdesk, etc. department to react quickly to
inbound inquiries"
by otrs.org
OTRS is vulnerable to a XSS/XSRF. It is possible to inject code into the
Subaction parameter. Authentication is required to reach the page, but a
non-authenticated user will be asked to login and the attack will still be carried
out. XSRF is ofcourse also possible in this case.
OTRS 2.0.4 was tested and appears to be vulnerable. I've tested version 2.2.0 and
it doesn't seem to be vulnerable anymore.
http://server/otrs/index.pl?Action=AgentTicketMailbox&Subaction=<img src=
https://server/otrs/images/Standard/new-message.png onLoad=javascript:alert('hello');>
Copyright 2007 by ciri from Virtuax.be All rights reserved. 1