1.3.3 or OTRS (2.0.4 or later), available from to OTRS Web site. See References. the ISS X-Force Database: otrs-login-sql-injection(23352): Open Source Ticket Request System Login function SQL injection

DSA-973

Careers

©2006 Internet Security Systems, Inc. All rights reserved worldwide.

otrs-login-sql-injection (23352)

Consequences:

ISS Worldwide

SQL injection. A remote attacker could send specially-crafted SQL statements to execute arbitrary SQL commands and bypass authentication via the Open Source Ticket Request System (OTRS) is vulnerable to (1) user parameter in the Login function to add, modify, or delete data from the AgentTicketPlain action. the database.

OSVDB ID: 21064

the main page
SUSE-SR:2005:030
OSVDB ID: 21065
OTRS, OTRS 1.00 - 1.3.2
Debian, Debian Linux 3.1

Full-Disclosure Mailing List, Tue Nov 22 2005 - 15:31:42 CST, OTRS 1.x/2.x Multiple Security Issues at

FrSIRT/ADV-2005-2535
: OTRS (Open Ticket Request System) Login Function User Variable SQL Injection

Medium Risk

FreeBSD, FreeBSD

References:

Upgrade of the latest version : OTRS SQL Injection and Cross-Site Scripting Vulnerabilities |
OTRS Web site, OTRS::Email Management::Trouble Ticket System::Welcome! at For Debian GNU/Linux: .
SA17685 : OTRS Multiple Input Validation Vulnerabilities
Description: : Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of
Training : SUSE Security Summary Report
http://www.szgy.org/ to OTRS, OTRS 2.0.0 - 2.0.3 http://www.szgy.org/archives/fulldisclosure/2005-11/0705.html
Investor Relations Refer to DSA-973-1 for patch, upgrade, or suggested workaround information. See References.
Partners Open Source Ticket Request System Login function SQL injection
SECTRACK ID: 1015262 : OTRS (Open Ticket Request System) AgentTicketPlain Action Multiple Variable SQL Injection
OpenBSD, OpenBSD : otrs -- several vulnerabilities

Trademarks

at the use for spread of this information or its use. Any use of this information. the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of this information constitutes acceptance is use in an AS IS condition. There are NO warranties, implied or otherwise, with regard of or in connection with to The information within this database may change without notice. Use or this information

: OTRS Input Validation Bugs Permit SQL Injection and Cross-Site Scripting Attacks

For corrections or additions please email Privacy Policy of Contact Us

Return

Downloads