CVE-2022-39050 An attacker who is logged into OTRS as an admin user may manipulate the customer URL field to store JavaScript that is later executed in the context of OTRS.

which are accessible by logged-in attacker. Another example of a destructive attack is when an attacker creates an OTRS account to monitor a specific email address or account. The attacker could manipulate the URL field to store JavaScript code to be run later when the agent visits the specific email address. Then this stored JavaScript code is executed in the context of agent. The same issue applies for external data sources e.g. database or ldap. As a security best practice, avoid hardcoding sensitive data into the actual URLs. Instead, use an API that doesn’t allow for manipulation of the URL.

How to Protect Your Organization from OTRS Administrator Attacks

One of the ways to protect your organization from OTRS administrator attacks is to ensure that your OTRS administrators are experts in security. This can be achieved by training them on security best practices and using a tool like role-based access control (RBAC) for your OTRS administrator accounts. There are many tools out there that will help you enforce a RBAC strategy.
Additionally, it’s important to note that even if an attacker was able to successfully gain access to an account with RBAC enabled, they still cannot execute any actions without having the correct permissions. For example, if you have an OTRS administrator account that has read permissions to some data sources but write permissions to others, the attacker would not be able to execute actions on those data sources without first obtaining the correct permissions.

Timeline

Published on: 09/05/2022 07:15:00 UTC
Last modified on: 09/08/2022 20:45:00 UTC

References