error in LOG

[steeman]

Hello,
I have version OTRS 6.0.25 and FAQ 6.0.23 and I have a few errors a day in my log (see below). Everything seems to work correctly, but I don't like errors.
The strange thing is that some of these error come at night (so I don't think it is from our customers).

Mon Feb 17 01:17:16 2020 (Europe/Brussels) error OTRS-CGI-12 Can't locate Kernel/Modules/PublicFAQZoomItemID8.pm in @INC (@INC contains: /home/servicedeskvives/otrs/bin/Custom /home/servicedeskvives/otrs/bin/Kernel/cpan-lib /home/servicedeskvives/otrs/bin /home/servicedeskvives/otrs/bin/cgi-bin/../../Custom /home/servicedeskvives/otrs/bin/cgi-bin/../../Kernel/cpan-lib /home/servicedeskvives/otrs/bin/cgi-bin/../.. /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /home/servicedeskvives/otrs/bin/cgi-bin/../../Kernel/System/Main.pm line 84.

Does someone have an idea what could be the cause?

[root]

Hi,

Looks like there is a reference to a module named PublicFAQZoomItemID8 in the SysConfig.
I don't this is an existing name.

- Roy

[zzz]

Hello,

It looks like someone messed with the URL and removed a semicolon.
Probably something like Action=PublicFAQZoomZoomItemID=8 instead of Action=PublicFAQZoom;ZoomItemID=8.

404's shouldn't result in error log entries, but that's how OTRS 6 works.
Anyway, there is nothing to worry about.

Best regards
Emin

[steeman]

I have also other similar entries in my log file. It seems that the semi-colons, equal-signs, ... are filtered. Perhaps a try to hack?
So if I don't have to worry.

Sun Feb 16 23:48:09 2020 (Europe/Brussels) error OTRS-CGI-12 Can't locate Kernel/Modules/PublicFAQExplorerCategoryID0SortByFAQIDOrderUp.pm in @INC (@INC contains: /home/servicedeskvives/otrs/bin/Custom /home/servicedeskvives/otrs/bin/Kernel/cpan-lib /home/servicedeskvives/otrs/bin /home/servicedeskvives/otrs/bin/cgi-bin/../../Custom /home/servicedeskvives/otrs/bin/cgi-bin/../../Kernel/cpan-lib /home/servicedeskvives/otrs/bin/cgi-bin/../.. /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /home/servicedeskvives/otrs/bin/cgi-bin/../../Kernel/System/Main.pm line 84.

[zzz]

That's the exact same issue.
I am not aware of such vulnerability.

Just open a public FAQ entry and remove the semicolon and you'll get an identical record.
The same goes for the agent frontend. Open 'AgentTicketZoomTicketID=1' and you'll see the error on your screen and in the error log.

You can also check the access log of your web server to get sure that it was a normal user with normal activity.

Best regards
Emin

[steeman]

All the errors come from only 3 IP-adresses (USA, Maleisia, China).
When I go to
https://servicedesk.vives.be/otrs/publi ... temID%3D56
instead of
https://servicedesk.vives.be/otrs/publi ... ;ItemID=56

I get the same errors.

So some-one (not a customer) probably tries something wrong.

I don't worry anymore. Thanks.

Philip

[zzz]

That's what I thought.
Some browsers or websites will encode special characters like semicolons to %3B and OTRS can't decode them back.

By the way, you should remove the URL to avoid more errors

Best regards
Emin

[steeman]

i don't have URL's pointing to this items except from the FAQ-system itself.