Vigil@nce - OTRS Help Desk: information disclosure via Outbound E-Mail
May 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can read emails sent by OTRS Help Desk, in order to
obtain sensitive information.
– Impacted products: OTRS Help Desk
– Severity: 1/4
– Creation date: 12/05/2015
DESCRIPTION OF THE VULNERABILITY
The OTRS Help Desk product sends emails containing tickets.
However, the In-Reply-To and References email headers contains the
MessageID value, which indicates the domain name of the server.
An attacker can therefore read emails sent by OTRS Help Desk, in
order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OTRS-Help-Desk-information-disclosure-via-Outbound-E-Mail-16874