Open Ticket Request System下载附件执行任意脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197133 漏洞类型 输入验证
发布时间 2005-11-29 更新时间 2007-07-03
CVE编号 CVE-2005-3895 CNNVD-ID CNNVD-200511-470
漏洞平台 N/A CVSS评分 5.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2005110058
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-470
|漏洞详情
OpenTRS是一款免费的开源的订票系统,它具有电子邮件、电话等接口功能。OpenTicketRequestSystem(OTRS)1.0.0至1.3.2以及2.0.0至2.0.3中,如果将AttachmentDownloadType设置为内联,则会在队列审阅者尝试下载附件时,将text/html电子邮件附件呈现为浏览器中的HTML,这可让远程攻击者执行任意Web脚本或HTML。注意:某些消息来源将此特定问题引用为XSS。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0007

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++       OTRS 1.x/2.x Multiple Security Issues       +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
  Nov 22, 2005

PUBLISHED AT
  http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
  http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt.sig

PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

SECURITY at MORITZ hyphon NAUMANN d0t COM
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
  OTRS
  http://www.otrs.org/

OTRS, the Open Source Ticket Request System, is a trouble
  ticket system which allows for managing customer telephone
  calls and e-mails.

AFFECTED VERSIONS
  Version 2.0.0 up to and including 2.0.3 and OTRS 1.0.0 up
  to and including 1.3.2.

ISSUES
  OTRS is subject to multiple security vulnerabilities,
  ranging from cross site scripting to SQL injection.

>>> 1. SQL injection #1
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'Login' function. Successful
  authentication is NOT required. By injecting a LEFT JOIN
  statement into the authentication database SQL query,
  an attacker may be able to exploit this issue.

The following partial URL demonstrates this issue:
  [OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE]

This results in an SQL error message being logged in the
  OTRS system log.

>>> 2. SQL injection #2
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'AgentTicketPlain' function in the
  'TicketID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded. By injecting a LEFT JOIN statement
  into the SQL query, an attacker may be able to exploit this
  issue.

The following partial URL demonstrates this issue:

[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&ArticleID=1&Ticket
ID=1%20[SQL_HERE]

This results in an SQL error message being logged in the
  OTRS system log.

>>> 3. SQL injection #3
  A malicious user may be able to conduct blind SQL code
  injection on the OTRS 'AgentTicketPlain' function in the
  'ArticleID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded. By injecting a LEFT JOIN statement
  into the SQL query, an attacker may be able to exploit this
  issue.

The following partial URL demonstrates this issue:

[OTRS_BaseURI]/admin/index.pl?Action=AgentTicketPlain&TicketID=1&Article
ID=1%20[SQL_HERE]

This results in an SQL error message being logged in the
  OTRS system log.

>>> 4. Cross Site Scripting #1
  OTRS is subject to a XSS vulnerability on the file attachment
  display function.

An attacker may send malicious code inside an email attachment
  of Content-Type "text/html". A queue moderator clicking the
  attachment download button (disk symbol) on a ticket created
  based on a HTML email will have this attachment rendered by
  her browser. Thus, any malicious client side code included in
  the HTML attachment will be executed in the security context
  of the OTRS domain.

This refers to the default configuration
  (AttachmentDownloadType = "inline") but does not apply if
  AttachmentDownloadType is set to "attachment".

>>> 5. Cross Site Scripting #2
  OTRS is subject to a XSS vulnerability on the queue selection
  function.

An attacker may inject arbitrary client side script code into
  the 'QueueID' parameter. Successful authentication IS required,
  however, a non-authenticated user will be prompted for her
  login credentials and the attack will still be carried out
  after the login succeeded.

The following partial URL demonstrates this issue:

[OTRS_BaseURI]/index.pl?QueueID=%22%3E%3Cscript%3Ealert('[XSS_HERE]')%3B
%3C/script%3E%3Cx%20y=%22

>>> 6. Cross Site Scripting #3
  OTRS is subject to a XSS vulnerability on the 'Action'
  parameter. An attacker may inject arbitrary client side script
  code into this parameter. To exploit this issue, successful
  authentication IS required, however, a non-authenticated user
  will be prompted for her login credentials and the attack will
  still be carried out after the login succeeded.

The following partial URL demonstrates this issue:

[OTRS_BaseURI]/index.pl?Action="><script>alert(document.title);</script>
<x%20"

This is only exploitable on web browsers which perform limited
  URL encoding before submitting user input, such as Internet
  Explorer (tested on v6.2900.2180 including all patches on
  Windows XP SP2) and Konqueror (tested on V3.3.2).

BACKGROUND
  SQL Injection:
  SQL injection describes the inclusion of additional SQL
  database query language statements into an existing query as
  carried out by a web application. A common attack vector is
  the injection of user-supplied arbitrary SQL statements into
  the applications' databse queries. Failure to completely
  sanitize user input from malicious content can cause a web
  application to be vulnerable to SQL Injection.

http://en.wikipedia.org/wiki/SQL_injection
  http://www.cgisecurity.com/questions/sql.shtml

Cross Site Scripting (XSS):
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content can cause a web application
  to be vulnerable to Cross Site Scripting.

http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml

WORKAROUNDS
  Issues 1-3:
    Client: Disable Javascript.
    Server: Prevent access to vulnerable file(s).
  Issue 4:
    Client: Right-click on disk logo and select to download
            to file ('save as').
    Server: Change configuration to force file download.
            Admin interface -> SysConfig -> Framework
            -> Core::Web -> AttachmentDownloadType
            -> "attachment".
  Issues 5-6:
    Client: N/A
    Server: Prevent access to vulnerable file(s).

SOLUTIONS
  OTRS has released versions 2.0.4 and 1.3.3 today. These are
  supposed to fix all of the above issues. The updated
  packages are available at ftp://ftp.otrs.org/pub/otrs/

TIMELINE
  Oct 17, 2005  Issue 1: Discovery, code maintainer notification
  Oct 17, 2005  Issue 1: Code maintainer acknowledgement
  Oct 17, 2005  Issue 4: Discovery, code maintainer notification
  Oct 17, 2005  Issue 4: Code maintainer acknowledgement
  Oct 18, 2005  Issue 5: Discovery, code maintainer notification
  Oct 18, 2005  Issue 5: Discovery, code maintainer notification
  Oct 18, 2005  Issue 2: Discovery, code maintainer notification
  Oct 18, 2005  Issue 3: Discovery, code maintainer notification
  Oct 30, 2005  Issue 6: Discovery, code maintainer notification
  Oct 31, 2005  Issue 2: Code maintainer acknowledgement
  Oct 31, 2005  Issue 3: Code maintainer acknowledgement
  Nov 22, 2005  Issues 1-6: Code maintainer provides fix
  Nov 22, 2005  Issues 1-6: Coordinated release & publication

REFERENCES
  OTRS Advisory
    http://otrs.org/advisory/OSA-2005-01-en/

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDg4qmn6GkvSd/BgwRAkXXAJ9jHNuFo2nSshhc0lcZeDjox0AAjQCfa/Uv
wG0B8Y8YgLTMxt0N+u8v/AI=
=y8YA
-----END PGP SIGNATURE-----
|参考资料

来源:BID
名称:15537
链接:http://www.securityfocus.com/bid/15537/
来源:SECUNIA
名称:17685
链接:http://secunia.com/advisories/17685/
来源:otrs.org
链接:http://otrs.org/advisory/OSA-2005-01-en/
来源:MISC
链接:http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
来源:BUGTRAQ
名称:20051122OTRS1.x/2.xMultipleSecurityIssues
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113272360804853&w=2
来源:XF
名称:otrs-email-attachment-xss(23355)
链接:http://xforce.iss.net/xforce/xfdb/23355
来源:OSVDB
名称:21066
链接:http://www.osvdb.org/21066
来源:SUSE
名称:SUSE-SR:2005:030
链接:http://www.novell.com/linux/security/advisories/2005_30_sr.html
来源:VUPEN
名称:ADV-2005-2535
链接:http://www.frsirt.com/english/advisories/2005/2535
来源:DEBIAN
名称:DSA-973
链接:http://www.debian.org/security/2006/dsa-973
来源:SECUNIA
名称:18887
链接:http://secunia.com/advisories/18887
来源:SECUNIA
名称:18101
链接:http://secunia.com/advisories/18101
来源:FULLDISC
名称:20051122OTRS1.x/2.xMultipleSecurityIssues
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html
来源:SREA