non-admin agent can call Kernel::Modules:Installer.pm

[jtvogt]

Hi all,

I've discovered the following security problem and need some advice how to fix this:
an OTRS agent having no admin rights can call .../otrs/index.plXXXXXXXXXXX and modify the OTRS configuration

Details:
OTRS 4.0.22
OS: SLES 11 SP4
Auth-Backend: DB (Postgres 9.4)
Agent has only ro permission on one (non-admin) group
SecureMode is active, opening URL ../otrs/installer.pl leads to a notice that SecureMode is on

Many thanks

Thomas

[jojo]

Please send a mail to security@otrs.org

Thanks

[jojo]

Thanks, I removed the critical part to avoid security breaches till official release of the OTRS Security Announcement

Thank you for reporting!

[rolfschmidt]

Hi all,

I've discovered the following security problem and need some advice how to fix this:
...

Thank you very much for your report

A possible fix would be to de-register the frontend module in the /opt/otrs/Kernel/Config.pm:

https://znuny.com/en/#!/advisory/ZSA-2017-01

Best regards,
Rolf

[jtvogt]

Hi,

many thanks for providing a workaround !!

Thomas

[jojo]

Official announcement and fixed was released today:

https://www.otrs.com/security-advisory- ... -versions/

You can download the latest version via otrs.com or http://ftp.otrs.org/pub/otrs/otrs-latest.tar.gz (or http://ftp.otrs.org/pub/otrs/otrs-latest-4.0.tar.gz)