which are accessible by logged-in attacker. Another example of a destructive attack is when an attacker creates an OTRS account to monitor a specific email address or account. The attacker could manipulate the URL field to store JavaScript code to be run later when the agent visits the specific email address. Then this stored JavaScript code is executed in the context of agent. The same issue applies for external data sources e.g. database or ldap. As a security best practice, avoid hardcoding sensitive data into the actual URLs. Instead, use an API that doesn’t allow for manipulation of the URL.
How to Protect Your Organization from OTRS Administrator Attacks
One of the ways to protect your organization from OTRS administrator attacks is to ensure that your OTRS administrators are experts in security. This can be achieved by training them on security best practices and using a tool like role-based access control (RBAC) for your OTRS administrator accounts. There are many tools out there that will help you enforce a RBAC strategy.
Additionally, it’s important to note that even if an attacker was able to successfully gain access to an account with RBAC enabled, they still cannot execute any actions without having the correct permissions. For example, if you have an OTRS administrator account that has read permissions to some data sources but write permissions to others, the attacker would not be able to execute actions on those data sources without first obtaining the correct permissions.
Timeline
Published on: 09/05/2022 07:15:00 UTC
Last modified on: 09/08/2022 20:45:00 UTC