Bug 688727 - (CVE-2011-0456) CVE-2011-0456 otrs: arbitrary command execution flaw
CVE-2011-0456 otrs: arbitrary command execution flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 635847
  Show dependency treegraph
Reported: 2011-03-17 16:27 EDT by Vincent Danen
Modified: 2014-01-29 12:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-29 12:50:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-03-17 16:27:55 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0456 to
the following vulnerability:

Name: CVE-2011-0456
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0456
Assigned: 20110114
Reference: http://jvn.jp/en/jp/JVN73162541/index.html
Reference: http://jvndb.jvn.jp/jvndb/JVNDB-2011-000019

Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote
attackers to execute arbitrary commands via unspecified vectors,
related to a "command injection vulnerability."

I asked upstream about this and the only information they provided is that OTRS versions greater than 2.3.4 are not affected (have the fix).  Request for clarification on whether this only affected 2.3.4, or how far back it went, or what was the fix, were ignored.

EPEL-5 contains OTRS 2.1.7, so it is unclear as to whether a version that old is affected.
Comment 1 Vincent Danen 2011-03-18 13:33:05 EDT
Kurt Seifried pointed out the following commit, that is also relevant to 2.1.7:

diff -ru otrs-2.3.4/scripts/webform.pl otrs-2.3.5/scripts/webform.pl
--- otrs-2.3.4/scripts/webform.pl       2008-04-24 11:32:15.000000000 -0600
+++ otrs-2.3.5/scripts/webform.pl       2009-02-20 04:49:40.000000000 -0700

@@ -241,13 +261,15 @@
     push @Mail, "\n";

     # send mail
-    $Param{From} =~ s/"|;|'|<|>|\|| //ig;
-    if ( open( MAIL, "|$Sendmail $Param{From} " ) ) {
-        print MAIL @Mail;
-        close(MAIL);
+    my $FromEmail = $Param{FromEmail};
+    $FromEmail =~ s/"|;|'|<|>|\||\s|\r|\n|\t|`//ig;
+    $FromEmail = quotemeta $FromEmail;
+    if ( open( my $Mail, '|-', "$Sendmail $FromEmail" ) ) {
+        print $Mail @Mail;
+        close $Mail;

I suspect this is the problem right here.
Comment 2 Vincent Danen 2014-01-29 12:50:48 EST
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped.

Note You need to log in before you can comment on or make changes to this bug.