Znuny Security Advisory for OTRS - ZSA-2012-01

[mikeeduard]

There is a public known OTRS Vulnerability for OTRS 3.1, OTRS 3.0 and OTRS 2.4.

Problem
An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, OTRS 3.0.x up to and including 3.0.14, as well as all 3.1.x versions up to and including 3.1.8.

Workaround
As workaround you need to disable the rich text feature via sys config.

Fix
If you are looking for a fix, just go here:

http://znuny.com/en/#!/advisory/ZSA-2012-01

Details

• ZSA-2012-01
• Date: 2012-08-17
• Title: Several XSS attacks possible
• Severity: Critical
• Product: OTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
• Fixed in: Only by installing the addon package Znuny4OTRS-CVE-2012-2582
• URL: http://znuny.com/en/#!/advisory/ZSA-2012-01
• CVE 2012-2582

[jojo]

Hi,

this vulnerability is already fixed. You have to replace AgentTicketZoom.dtl and CustomerTicketZoom.dtl:

2.4
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-2_4
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-2_4

3.0
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-3_0
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-3_0

3.1
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-3_1
http://cvs.otrs.org/viewvc.cgi/otrs/Ker ... ev=rel-3_1

[mikeeduard]

JFI, the package from http://znuny.com/en/#!/advisory/ZSA-2012-01 will also work with ITSM and other extensions. The CVS Files will brake other functionality.

[jojo]

For ITSM you need to use the versions from the ITSM CVS

[mikeeduard]

Exactly, with the Znuny package you do not need to take care! Just install it and it's done. No mater if ITSM, a custom extention or plain OTRS.