Hi all,
I've discovered the following security problem and need some advice how to fix this:
an OTRS agent having no admin rights can call .../otrs/index.plXXXXXXXXXXX and modify the OTRS configuration
Details:
OTRS 4.0.22
OS: SLES 11 SP4
Auth-Backend: DB (Postgres 9.4)
Agent has only ro permission on one (non-admin) group
SecureMode is active, opening URL ../otrs/installer.pl leads to a notice that SecureMode is on
Many thanks
Thomas
non-admin agent can call Kernel::Modules:Installer.pm
Moderator: crythias
Re: non-admin agent can call Kernel::Modules:Installer.pm
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Re: non-admin agent can call Kernel::Modules:Installer.pm
Thanks, I removed the critical part to avoid security breaches till official release of the OTRS Security Announcement
Thank you for reporting!
Thank you for reporting!
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
-
- Znuny newbie
- Posts: 1
- Joined: 30 May 2017, 19:27
- Znuny Version: All Versions
Re: non-admin agent can call Kernel::Modules:Installer.pm
Thank you very much for your reportjtvogt wrote:Hi all,
I've discovered the following security problem and need some advice how to fix this:
...
A possible fix would be to de-register the frontend module in the /opt/otrs/Kernel/Config.pm:
https://znuny.com/en/#!/advisory/ZSA-2017-01
Best regards,
Rolf
-
- Znuny newbie
- Posts: 8
- Joined: 23 Apr 2013, 16:18
- Znuny Version: 4.0.7
- Real Name: Thomas Vogt
- Company: yourdata GmbH
Re: non-admin agent can call Kernel::Modules:Installer.pm
Hi,
many thanks for providing a workaround !!
Thomas
many thanks for providing a workaround !!
Thomas
Re: non-admin agent can call Kernel::Modules:Installer.pm
Official announcement and fixed was released today:
https://www.otrs.com/security-advisory- ... -versions/
You can download the latest version via otrs.com or http://ftp.otrs.org/pub/otrs/otrs-latest.tar.gz (or http://ftp.otrs.org/pub/otrs/otrs-latest-4.0.tar.gz)
https://www.otrs.com/security-advisory- ... -versions/
You can download the latest version via otrs.com or http://ftp.otrs.org/pub/otrs/otrs-latest.tar.gz (or http://ftp.otrs.org/pub/otrs/otrs-latest-4.0.tar.gz)
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com