announce at otrs.org for announcements of new OTRS releases and security issues

Stefan Rother | 22 Nov 2005 09:45

OTRS 2.0.4 (Klong Jark Beach) Released

Good morning,

This is the latest release of OTRS 2.0, and contains some bug
fixes and 3 security bug fixes. Detailed informations about the security 
fixes can be found here:

English: http://otrs.org/advisory/OSA-2005-01-en.shtml
German:  http://otrs.org/advisory/OSA-2005-01-de.shtml

The OTRS team recommends all OTRS 2.0.x users to appeal upgrade to OTRS 
2.0.4.

Changes:
========
o fixed bug #922 - rfc quoteing for emails with sender
    like info <at> example.com <info <at> example.com> is now
    "info <at> example.com" <info <at> example.com>
o fixed bug #971 - Invalid agents get LockTimeOut notification
o fixed bug #948 - Invalid agents should not longer get follow-ups
o fixed bug #906 - group names are translated in admin interface
o fixed bug #863 - error after using faq in tickets
o fixed bug #792 - GPG 1.4.1 is no handled correct
o fixed bug #695 - From-Header missing quoting if : is used
o fixed bug #639 - problems with german "umlaute" and
    "," in realname if OE is the sender system
o fixed small bug for WorkingTime calculation
o fixed input check of TimeVacationDays and TimeVacationDaysOneTime
    in admin interface (just integer values allowed)
o fixed time (hour and minute) selection on 0x default selections
    in framework (00 selection if 0x was selected)

(Continue reading)

headers

OTRS Security Team | 23 Nov 2005 08:31

English: [OSA-2005-01] Vulnerabilities in OTRS core / SQL-Injection and Cross-Site-Scripting


 -----------------------------------------------------------------------
 OTRS Security Advisory 2005-01                      <security <at> otrs.org>
 -----------------------------------------------------------------------
 ID:         OSA-2005-01
 Date:       2005-11-22
 Title:      Vulnerabilities in OTRS-Core allows
             SQL-Injection and Cross-Site-Scripting
 Severity:   Critical
 Product:    OTRS 2.x, OTRS 1.x
 Fixed in:   OTRS 2.0.4, OTRS 1.3.3
 URL:        http://otrs.org/advisory/OSA-2005-01-en/
 -----------------------------------------------------------------------

This Advisory covers three vulnerabilities in the OTRS-System-Core.

SQL-Injection via UNION

  Missing security quoting for SQL statements allows agents the
  manipulation of SQL queries. So it's possible to inject SQL queries
  via UNION statements.

  A malicious user may be able to login successfully without valid
  credentials. Authentication mechanisms other than the database 
  backend authentication are not affected.

  Authenticated users can use this vulnerabilitiy to get records from
  other OTRS database tables. This informations can be used for
  other attacks like session hijacking.

(Continue reading)

headers

OTRS Security Team | 23 Nov 2005 08:32

German: [OSA-2005-01] Schwachstellen im OTRS-Core erlauben SQL-Injection und Cross-Site-Scripting


 -----------------------------------------------------------------------
 OTRS Security Advisory 2005-01                      <security <at> otrs.org>
 -----------------------------------------------------------------------
 ID:         OSA-2005-01
 Datum:      2005-11-22
 Titel:      Schwachstellen im OTRS-Core erlauben
             SQL-Injection und Cross-Site-Scripting
 Einstufung: Kritisch
 Produkte:   OTRS 2.x, OTRS 1.x
 Behoben in: OTRS 2.0.4, OTRS 1.3.3
 URL:        http://otrs.org/advisory/OSA-2005-01-de/
 -----------------------------------------------------------------------

Dieses Advisory adressiert drei Sicherheitsluecken im OTRS-Systemkern.

SQL-Injection per UNION

  Fehlende Sicherheitsueberpruefungen fuer SQL-Statements ermoeglichen
  einem angemeldeten Benutzer die Manipulation von Abfragen. Per UNION
  lassen sich beliebige SELECT-Statements einschleusen, welche dann von
  der Datenbank verarbeitet werden.

  Ein Angreifer kann diese Schwachstelle gezielt ausnutzen, um das
  Ergebnis einer Anfrage so zu manipulieren, dass eine Benutzeranmeldung
  trotz ungueltiger Anmeldedaten erfolgreich ist. Er kann so unbefugt
  Zugang zum OTRS erhalten. Anfaellig fuer derartige Angriffe sind
  Installationen, welche einen Benutzer gegen eine SQL-Datenbank
  authentisieren.

(Continue reading)

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

3	May 2013
6	April 2013
2	March 2013
1	February 2013
3	January 2013
1	December 2012
2	November 2012
3	October 2012
1	September 2012
6	August 2012
2	June 2012
1	May 2012
2	April 2012
5	March 2012
13	February 2012
11	January 2012
6	December 2011
3	November 2011
4	October 2011
5	August 2011
2	July 2011
2	June 2011
1	May 2011
6	April 2011
8	March 2011
6	February 2011
9	January 2011
3	December 2010
4	November 2010
3	October 2010
5	September 2010
2	August 2010
5	February 2010
1	January 2010
2	October 2009
1	September 2009
1	August 2009
5	July 2009
1	June 2009
1	May 2009
1	April 2009
1	February 2009
1	January 2009
3	December 2008
2	November 2008
4	October 2008
2	September 2008
3	August 2008
2	July 2008
3	June 2008
1	May 2008
3	April 2008
4	March 2008
1	February 2008
1	January 2008
4	November 2007
2	September 2007
2	August 2007
4	July 2007
1	June 2007
3	May 2007
4	April 2007
2	March 2007
1	February 2007
1	January 2007
1	December 2006
1	November 2006
2	October 2006
1	September 2006
1	August 2006
1	June 2006
3	May 2006
1	March 2006
1	January 2006
3	November 2005
1	October 2005
1	September 2005
3	August 2005
3	July 2005
3	May 2005
2	October 2004
2	September 2004
2	August 2004
1	July 2004
1	June 2004
1	April 2004
4	February 2004
1	January 2004
1	November 2003
1	October 2003
2	July 2003
1	June 2003
1	May 2003
1	April 2003
1	March 2003
1	February 2003