This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker, who is authenticated on the OTRS iPhoneHandle
interface, can alter OTRS objects.

Severity: 2/4

Creation date: 18/07/2011

IMPACTED PRODUCTS

– OTRS

DESCRIPTION OF THE VULNERABILITY

The OTRS iPhoneHandle interface can be used by an administrator to
connect to OTRS, via a phone.

However, the CGI iPhoneHandle/bin/cgi-bin/json.pl script, and the
iPhoneHandle/Kernel/System/iPhone.pm kernel do not limit the
access to OTRS objects.

An attacker, who is authenticated on the OTRS iPhoneHandle
interface, can therefore alter OTRS objects.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/OTRS-privilege-elevation-via-iPhoneHandle-10846