Last modified: 2014-10-15 23:51:53 UTC
See http://www.otrs.com/security-advisory-2014-05-clickjacking-issue/ ("An attacker could embed OTRS in a hidden <iframe> tag of another page, tricking the user into clicking links in OTRS.") http://www.otrs.com/security-advisory-2014-04-xss-issue/ ("A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS.") We are currently running OTRS 3.2.14. Note that this would also solve bug 61912 ("Update OTRS to 3.2.15 (address XSS vulnerability)").
*** Bug 61912 has been marked as a duplicate of this bug. ***
I applied patches for these.
All, My 1.22.2 MediaWiki install was completely compromised in the past 20 days. I think every RIPE, RU and APNIC address logged in and apparently autocreated accounts bypassing the captcha and confirmation security routines. My server was flooded with thousands of requests of the type: 195.154.211.103 - - [19/Sep/2014:21:52:37 -0500] "GET /mediawiki/index.php/Get_Started_In_College_With_These_Tips HTTP/1.1" 500 1040 167.160.115.28 - - [19/Sep/2014:21:52:38 -0500] "GET /mediawiki/index.php/Effortless_hemorrhoids_Systems_Around_The_USA HTTP/1.0" 500 1040 209.236.112.190 - - [19/Sep/2014:21:52:38 -0500] "GET /mediawiki/index.php/User:KentonBenedict HTTP/1.1" 500 1040 5.196.106.78 - - [19/Sep/2014:21:52:41 -0500] "GET /mediawiki/index.php/Is_The_Laptop_Running_Rather_Slowly_There_May_Be_An_Simple_Fix HTTP/1.1" 500 1040 167.160.115.28 - - [19/Sep/2014:21:52:42 -0500] "GET /mediawiki/index.php/Finding_Real-World_Programs_In_hemorrhoids HTTP/1.0" 500 1040 198.50.133.234 - - [19/Sep/2014:21:52:48 -0500] "GET /mediawiki/index.php/Test HTTP/1.1" 500 1040 94.249.242.81 - - [19/Sep/2014:21:52:49 -0500] "GET /mediawiki/index.php/Basic_Guidance_On_Recognising_Key_Issues_For_%E0%B8%A3%E0%B8%B1%E0%B8%9A%E0%B8%97%E0%B8%B3_Seo_%E0%B8%A3%E0%B8%B2%E0%B8%84%E0%B8%B2%E0%B8%96%E0%B8%B9%E0%B8%81 HTTP/1.1" 500 1040 They were apparently attempting a mail exploit through http@domain.tld. The access has since been closed, but it took hours to delete the thousands of users/pages created. My question is: How can I determine that this XSS clicknacking was the vulnerability being exploited or whether another CVE was at play? MediaWiki was the only application compromised and setting were set tight. Let me know what to look for and what additional information would be helpful (I blew all changes to the mysql tables away, but have preserved the most recent logs) I've updated to 1.23.3 and currently have the apache2.4 RequireAll limited to an admin group and several external IPs. This blocks all access attempts for the moment (but it blocks all good external access as well) How to check?
(In reply to David C. Rankin from comment #3) this bug is not related to MediaWiki. Please limit your searches to MediaWiki related components. This message is probably more appropriate on [[mail:mediawiki-l]].
(In reply to Jeff Green from comment #2) > I applied patches for these. Shall we mark this as resolved then, or repurpose it to be just "Upgrade OTRS to latest stable"? What about bug 55681?
(In reply to Alex Monk from comment #5) > (In reply to Jeff Green from comment #2) > > I applied patches for these. > > Shall we mark this as resolved then, or repurpose it to be just "Upgrade > OTRS to latest stable"? What about bug 55681? Closing the bug as the security issue was fixed. (Also renaming - removing upgrade detail - will open new bug specific to upgrade)