Ubuntu
otrs2 package

[otrs2] [CVE-2008-1515] information disclosure

Bug #214993 reported by disabled.user
258
Affects Status Importance Assigned to Milestone
otrs2 (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Dapper by disabled.user
Nominated for Feisty by disabled.user
Declined for Gutsy by Luca Falavigna
Nominated for Hardy by disabled.user

Bug Description

Binary package hint: otrs2

Quoting CVE-2008-1515:
"The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 contains "Missing security checks," which allows remote attackers to "read and modify objects" via SOAP requests. "

CVE References

Revision history for this message
ubuntu_demon (ubuntu-demon) wrote :

I'm confirming this bug. Here's more information :
http://otrs.org/news/2008/otrs_2_2_6/

Changed in otrs2:
status: New → Confirmed
Revision history for this message
ubuntu_demon (ubuntu-demon) wrote :

More information : http://otrs.org/advisory/OSA-2008-01-en/

Suggested workaround by OTRS (other than upgrading to 2.2.6 / 2.1.8 :

As a workaround you can remove the file bin/cgi-bin/rpc.pl or
update bin/cgi-bin/rpc.pl from cvs to version 1.6
(http://cvs.otrs.org/viewvc.cgi/otrs/bin/cgi-bin/rpc.pl).

Revision history for this message
ubuntu_demon (ubuntu-demon) wrote :

I think the best approach is to go for removing the file bin/cgi-bin/rpc.pl because probably most (small) otrs setups don't need SOAP/rpc. It's easy to make a debdiff in the following way :
https://wiki.ubuntu.com/PackagingGuide/Recipes/Debdiff

I can't do it right now because I don't have my gpg key on hand.

Revision history for this message
MichielBeijen (michiel-beijen) wrote :

I guess this bug still open means that the package is currently not being maintained?

I'm working for OTRS AG, and wiling to work with someone from the Ubuntu team to get the package OTRS2 in Ubuntu in proper shape. Either that, or I'd rather have it removed from the repositories.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in Ubuntu 10.04 LTS.

Changed in otrs2 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.