# This patch fixes OSA-2018-03: An attacker who is logged into OTRS as a user # may escalate their privileges by accessing a specially crafted URL. # https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/ diff -Naur otrs2-5.0.16.orig/Kernel/System/CustomerUser.pm otrs2-5.0.16/Kernel/System/CustomerUser.pm --- otrs2-5.0.16.orig/Kernel/System/CustomerUser.pm 2017-01-17 03:39:35.000000000 +0100 +++ otrs2-5.0.16/Kernel/System/CustomerUser.pm 2018-10-12 13:35:13.915216552 +0200 @@ -564,6 +564,35 @@ return; } + # Don't allow overwriting of native user data. + my %Blacklisted = ( + UserID => 1, + UserLogin => 1, + UserPassword => 1, + UserFirstname => 1, + UserLastname => 1, + UserFullname => 1, + UserStreet => 1, + UserCity => 1, + UserZip => 1, + UserCountry => 1, + UserComment => 1, + UserCustomerID => 1, + UserTitle => 1, + UserEmail => 1, + ChangeTime => 1, + ChangeBy => 1, + CreateTime => 1, + CreateBy => 1, + UserPhone => 1, + UserMobile => 1, + UserFax => 1, + UserMailString => 1, + ValidID => 1, + ); + + return 0 if $Blacklisted{ $Param{Key} }; + # check if user exists my %User = $Self->CustomerUserDataGet( User => $Param{UserID} ); if ( !%User ) { diff -Naur otrs2-5.0.16.orig/Kernel/System/User.pm otrs2-5.0.16/Kernel/System/User.pm --- otrs2-5.0.16.orig/Kernel/System/User.pm 2017-01-17 03:39:35.000000000 +0100 +++ otrs2-5.0.16/Kernel/System/User.pm 2018-10-12 13:35:13.915216552 +0200 @@ -1187,6 +1187,22 @@ } } + # Don't allow overwriting of native user data. + my %Blacklisted = ( + UserID => 1, + UserLogin => 1, + UserPw => 1, + UserFirstname => 1, + UserLastname => 1, + UserFullname => 1, + UserTitle => 1, + ChangeTime => 1, + CreateTime => 1, + ValidID => 1, + ); + + return 0 if $Blacklisted{ $Param{Key} }; + # get current setting my %User = $Self->GetUserData( UserID => $Param{UserID},