Bug 10927 - otrs new security issue CVE-2013-4717
: otrs new security issue CVE-2013-4717
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/562192/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-6...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-05 20:21 CEST by David Walser
Modified: 2013-08-11 14:52 CEST (History)
6 users (show)

See Also:
Source RPM: otrs-3.2.8-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-08-05 20:21:12 CEST
Debian has issued an advisory on August 2:
http://www.debian.org/security/2013/dsa-2733

It appears that the issue was fixed upstream in 3.2.9.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-06 10:54:07 CEST
3.2.9 has been submitted to all.
Comment 2 David Walser 2013-08-06 20:35:54 CEST
Thanks Oden!

Advisory:
========================

Updated otrs packages fix security vulnerability:

It was discovered that otrs2, the Open Ticket Request System, does not properly
sanitise user-supplied data that is used on SQL queries. An attacker with a
valid agent login could exploit this issue to craft SQL queries by injecting
arbitrary SQL code through manipulated URLs (CVE-2013-4717).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4717
http://www.debian.org/security/2013/dsa-2733
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.9-1.mga2
otrs-3.2.9-1.mga3

from SRPMS:
otrs-3.2.9-1.mga2.src.rpm
otrs-3.2.9-1.mga3.src.rpm
Comment 3 William Kenney 2013-08-09 17:00:23 CEST
How do I launch otrs?

Apache is succesfully running on the test system.
The following webpages are available:

http://localhost/~wilcal/ ( works )
http://192.168.1.40/~wilcal/  ( from the LAN works )
http://192.168.1.40/  ( It works! works )

After installing otrs from the MCC I tried the following:
http://localhost/~otrs/
http://localhost/otrs/
http://otrs.localhost
http://localhost/otrs/index.pl
http://localhost/~otrs/index.pl
http://192.168.1.40/~otrs/
http://192.168.1.40/otrs/
http://otrs.192.168.1.40
http://192.168.1.40/otrs/index.pl
http://192.168.1.40/~otrs/index.pl

none work, even after reboot

FWIW http://localhost/awstats/ works just fine
http://localhost/otrs/ does not

There exists a /etc/httpd/conf/sites.d/otrs.conf file

Thanks
Comment 4 David Walser 2013-08-09 17:11:36 CEST
(In reply to William Kenney from comment #3)
> How do I launch otrs?
> 
> There exists a /etc/httpd/conf/sites.d/otrs.conf file

Therein lies the answer to your question:
Alias /otrs-web/ "/var/www/otrs/var/httpd/htdocs"

So it would be http://localhost/otrs-web/
Comment 5 Dave Hodgins 2013-08-11 06:12:57 CEST
Advisory 10927.adv uploaded to svn.
Comment 6 Dave Hodgins 2013-08-11 06:31:01 CEST
Testing Mageia 2 i586, firefox localhost/otrs returns
 The server encountered an internal error and was unable to complete your request.

Error message:
(null) at /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/ModPerl/RegistryCooker.pm line 541. 

Trying localhost/otrs-web returns not found.
Comment 7 Dave Hodgins 2013-08-11 06:34:41 CEST
Sorry for the noise. Ignore comment 6.

See https://bugs.mageia.org/show_bug.cgi?id=10352#c12 for procedure.
Comment 8 Dave Hodgins 2013-08-11 06:39:52 CEST
As per bug 10669 the requires for perl-DBD-mysql is still missing, so it must
be installed manually.
Comment 9 Dave Hodgins 2013-08-11 06:58:01 CEST
Testing complete Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push 10927.adv to updates.
Comment 10 Thomas Backlund 2013-08-11 14:52:21 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0247.html

Note You need to log in before you can comment on or make changes to this bug.