Bug 688727 (CVE-2011-0456)

Summary: CVE-2011-0456 otrs: arbitrary command execution flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-29 17:50:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 635847    
Bug Blocks:    

Description Vincent Danen 2011-03-17 20:27:55 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0456 to
the following vulnerability:

Name: CVE-2011-0456
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0456
Assigned: 20110114
Reference: http://jvn.jp/en/jp/JVN73162541/index.html
Reference: http://jvndb.jvn.jp/jvndb/JVNDB-2011-000019

Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote
attackers to execute arbitrary commands via unspecified vectors,
related to a "command injection vulnerability."


I asked upstream about this and the only information they provided is that OTRS versions greater than 2.3.4 are not affected (have the fix).  Request for clarification on whether this only affected 2.3.4, or how far back it went, or what was the fix, were ignored.

EPEL-5 contains OTRS 2.1.7, so it is unclear as to whether a version that old is affected.
Comment 1 Vincent Danen 2011-03-18 17:33:05 UTC 
Kurt Seifried pointed out the following commit, that is also relevant to 2.1.7:


diff -ru otrs-2.3.4/scripts/webform.pl otrs-2.3.5/scripts/webform.pl
--- otrs-2.3.4/scripts/webform.pl       2008-04-24 11:32:15.000000000 -0600
+++ otrs-2.3.5/scripts/webform.pl       2009-02-20 04:49:40.000000000 -0700

@@ -241,13 +261,15 @@
     push @Mail, "\n";

     # send mail
-    $Param{From} =~ s/"|;|'|<|>|\|| //ig;
-    if ( open( MAIL, "|$Sendmail $Param{From} " ) ) {
-        print MAIL @Mail;
-        close(MAIL);
+    my $FromEmail = $Param{FromEmail};
+    $FromEmail =~ s/"|;|'|<|>|\||\s|\r|\n|\t|`//ig;
+    $FromEmail = quotemeta $FromEmail;
+    if ( open( my $Mail, '|-', "$Sendmail $FromEmail" ) ) {
+        print $Mail @Mail;
+        close $Mail;

I suspect this is the problem right here.
Comment 2 Vincent Danen 2014-01-29 17:50:48 UTC 
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped.