ciri has reported some vulnerabilities in OTRS (Open Ticket Request System), which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed to the "Subaction" parameter in index.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform actions with the privileges of a target user, who is tricked into visiting a malicious website. The vulnerabilities are reported in version 2.0.4. Other versions may also be affected. Solution: Reportedly fixed in version 2.2.0 beta. Reproducible: Always
maintainers - please provide a fix
Does anybody know of a backported patch for 2.0.4/2.1.7? As 2.1.7 is currently facing some heavy changes (bug#172305) it would be nice having this patch available for 2.0.4 and being able including it in 2.1.7 as soon as I've finished the rewrite of this ebuild. Regards, Elias P.
I looked at theyr bugzilla and it seems that they are still working on a patch for 2.0.4
They released a fix: http://users.otrs.com/~me/otrs-2.0.4-OSA-2007-01-patch.diff maintainers - please provide an updated ebuild
maintainers - please advice
maintainers - please advise and patch as necessary
*** Bug 183562 has been marked as a duplicate of this bug. ***
*** Bug 172305 has been marked as a duplicate of this bug. ***
Since OTRS 2.0.5 (released 05-29-2007) fixes this, can we perhaps change this to a version bump?
maintainers - please advice and bump as necessary
I finally resolved all problems that kept me from closing bug#172305 Expect updated ebuilds for OTRS during next days. Regards, Elias P.
there's 2.1.5 in the tree, does it fix this issue?
web-apps, please advise.
I added otrs-2.2.2 to the tree now and removed the older, insecure ebuilds. I currently did not remove the mask since I'd like some feedback whether the ebuild really installs fine. The post install instructions are somewhat more complex but I had no problem installing it. If I could get one confirmation of this I'd remove the mask.
Thanks Gunnar. In any case, I think we can close this one without glsa. feel free to reopen if you disagree.