1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
|
# This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with
# agent permission is capable by opening a specific URL in a browser to
# gain administrative privileges / full access. Afterward, all system
# settings can be read and changed.
# Closes: #864319
# URL: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
diff -Naur otrs2-5.0.16.orig/Kernel/Modules/Installer.pm otrs2-5.0.16/Kernel/Modules/Installer.pm
--- otrs2-5.0.16.orig/Kernel/Modules/Installer.pm 2017-01-17 03:39:35.000000000 +0100
+++ otrs2-5.0.16/Kernel/Modules/Installer.pm 2017-06-07 11:22:15.816099778 +0200
@@ -37,6 +37,15 @@
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
+ if ( $Kernel::OM->Get('Kernel::Config')->Get('SecureMode') ) {
+ $LayoutObject->FatalError(
+ Message => Translatable('SecureMode active!'),
+ Comment => Translatable(
+ 'If you want to re-run the Installer, disable the SecureMode in the SysConfig.'
+ ),
+ );
+ }
+
# check env directories
$Self->{Path} = $ConfigObject->Get('Home');
if ( !-d $Self->{Path} ) {
|