Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0456 to the following vulnerability: Name: CVE-2011-0456 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0456 Assigned: 20110114 Reference: http://jvn.jp/en/jp/JVN73162541/index.html Reference: http://jvndb.jvn.jp/jvndb/JVNDB-2011-000019 Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability." I asked upstream about this and the only information they provided is that OTRS versions greater than 2.3.4 are not affected (have the fix). Request for clarification on whether this only affected 2.3.4, or how far back it went, or what was the fix, were ignored. EPEL-5 contains OTRS 2.1.7, so it is unclear as to whether a version that old is affected.
Kurt Seifried pointed out the following commit, that is also relevant to 2.1.7: diff -ru otrs-2.3.4/scripts/webform.pl otrs-2.3.5/scripts/webform.pl --- otrs-2.3.4/scripts/webform.pl 2008-04-24 11:32:15.000000000 -0600 +++ otrs-2.3.5/scripts/webform.pl 2009-02-20 04:49:40.000000000 -0700 @@ -241,13 +261,15 @@ push @Mail, "\n"; # send mail - $Param{From} =~ s/"|;|'|<|>|\|| //ig; - if ( open( MAIL, "|$Sendmail $Param{From} " ) ) { - print MAIL @Mail; - close(MAIL); + my $FromEmail = $Param{FromEmail}; + $FromEmail =~ s/"|;|'|<|>|\||\s|\r|\n|\t|`//ig; + $FromEmail = quotemeta $FromEmail; + if ( open( my $Mail, '|-', "$Sendmail $FromEmail" ) ) { + print $Mail @Mail; + close $Mail; I suspect this is the problem right here.
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped.