Mageia Bugzilla – Bug 10927
otrs new security issue CVE-2013-4717
Last modified: 2013-08-11 14:52:21 CEST
Debian has issued an advisory on August 2:
It appears that the issue was fixed upstream in 3.2.9.
Mageia 2 and Mageia 3 are also affected.
Steps to Reproduce:
3.2.9 has been submitted to all.
Updated otrs packages fix security vulnerability:
It was discovered that otrs2, the Open Ticket Request System, does not properly
sanitise user-supplied data that is used on SQL queries. An attacker with a
valid agent login could exploit this issue to craft SQL queries by injecting
arbitrary SQL code through manipulated URLs (CVE-2013-4717).
Updated packages in core/updates_testing:
How do I launch otrs?
Apache is succesfully running on the test system.
The following webpages are available:
http://localhost/~wilcal/ ( works )
http://192.168.1.40/~wilcal/ ( from the LAN works )
http://192.168.1.40/ ( It works! works )
After installing otrs from the MCC I tried the following:
none work, even after reboot
FWIW http://localhost/awstats/ works just fine
http://localhost/otrs/ does not
There exists a /etc/httpd/conf/sites.d/otrs.conf file
(In reply to William Kenney from comment #3)
> How do I launch otrs?
> There exists a /etc/httpd/conf/sites.d/otrs.conf file
Therein lies the answer to your question:
Alias /otrs-web/ "/var/www/otrs/var/httpd/htdocs"
So it would be http://localhost/otrs-web/
Advisory 10927.adv uploaded to svn.
Testing Mageia 2 i586, firefox localhost/otrs returns
The server encountered an internal error and was unable to complete your request.
(null) at /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/ModPerl/RegistryCooker.pm line 541.
Trying localhost/otrs-web returns not found.
Sorry for the noise. Ignore comment 6.
See https://bugs.mageia.org/show_bug.cgi?id=10352#c12 for procedure.
As per bug 10669 the requires for perl-DBD-mysql is still missing, so it must
be installed manually.
Testing complete Mageia 2 and 3, i586 and x86_64.
Could someone from the sysadmin team push 10927.adv to updates.