Vigil@nce - OTRS: denial of service via otrs.Scheduler.pl
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can manipulate the PID file of OTRS, in order to
trigger a denial of service.
– Impacted products: OTRS Help Desk.
– Severity: 1/4.
– Creation date: 30/09/2015.
DESCRIPTION OF THE VULNERABILITY
The OTRS product contains a scheduler (bin/otrs.Scheduler.pl),
which executes tasks in background.
However, an authenticated attacker can manipulate the file
containing process identifiers, in order to alter the scheduler
behavior.
A local attacker can therefore manipulate the PID file of OTRS, in
order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OTRS-denial-of-service-via-otrs-Scheduler-pl-18000