Web applications that store and transmit any kind of sensitive or personal data should only allow secure, encrypted traffic. Yet, the traditional method of installing ((OTRS)) Community Edition didn't really cover this part, leaving it as an exercise for the administrator. And while configuring SSL on a server isn't too difficult, it does require additional work and might take quite a bit of time if things don't go smoothly right away.
We strive to make ((OTRS)) Community Edition more secure and easier to use, not only for end users, but administrators as well, so we thought it's time to address this matter. The new version of our automated Shell Installer utility allows you to easily install a free SSL certificate provided by the non-profit Let's Encrypt project. All you need is to have a domain name pointing to the server on which the system is being installed, and to provide an e-mail address for administrative notifications.
This is how the configuration looks during installation:
The installed certificate will be automatically renewed, as it is usually the case with Let's Encrypt certificates. The system will also be configured to enforce encrypted connections if a browser tries to connect using plain HTTP.
The updated shell installation tool is now available in the Downloads section and we welcome you to try it out. It is still considered experimental, but will soon be ready for prime time.
Version 6.0.33 of ((OTRS)) Community Edition is now available.
This version comes with several security fixes, including a denial of service vulnerability that potentially allowed an attacker to cause a performance drop or even a complete crash of the system by sending a specially crafted e-mail message. This vulnerability has been discovered by Alberto Molina and reported by OTRS AG in security advisory OSA-2021-16.
CKEditor updated from version 4.16.0 to version 4.17.1
(fixed several XSS vulnerabilities -- release information: CKEditor 4.17)
As our refreshed version of the ((OTRS)) Community Edition agent interface is getting closer and closer to release, we have made it available for testing on our demo server. If you would like to take a peek at how the new interface looks and feels, you are welcome to go to new.demo.otrsce.com and try it out!
You will find a switch at the bottom of the page which toggles between the old and new interface style, making it easy to compare the original look and the refreshed one.
Please keep in mind that this version is not ready for prime time yet, there is still a lot of (mostly) small fixes that need to be made, and we're working on it -- watch this space for updates.
When looking for the next help desk system for your company, nothing beats being able to take it for a spin. Our website now allows you to easily try out ((OTRS)) Community Edition by launching your own test instance that you can use for up to 7 days. You can also share a link to the demo if you want to test the system with your workmates.
If there's one thing that all software projects have in common, it's delays.
Our fork of ((OTRS)) Community Edition is no different, it's taking us longer
than expected to reach the next planned milestones, so we decided to update our
roadmap again and move the release of the refreshed agent interface,
as well as the report from our security audit, into early September.
The main reason is that we simply have way more work than we expected building
solutions around OTRS CE for our business clients. While this has the positive
outcome of growing the user base of the fork, it also means we have less time
for the day-to-day development of the core application. To address that, we're
working on expanding our team, so hopefully things will improve in the next
couple of weeks.
Of course, this doesn't mean we have made no progress on the items on our
roadmap. As a teaser, here's a few screenshots showing how the agent interface
will look after the refresh (click to enlarge).
New phone ticket screen:
Customer users administration screen:
These are still work-in-progress and subject to change, but you get the picture
And to tease a bit more, we are also working on a few features not included in
the roadmap, but ones that we believe will be useful to the users. Watch this
space for more information in the next week or two.
One of the nuisances of the classic version of ((OTRS)) Community Edition is that when installing the system from source (rather than system software repositories, using e.g. yum or apt), the installation process is a bit tedious. It requires the user to go through a series of configuration tasks, choosing the right variant for their operating system. Why do that manually though when you have a machine that's perfectly capable of following strict instructions?
This lead to the idea of making an installation utility to automate most of this process and make it easier, faster, and less error-prone. Most importantly, we wanted to make the installer user-friendly, so even though it's a command-line application, we decided to use colorful, well-formatted output to clearly communicate what's happening during the installation and to present the user with straightforward, simple choices.
And, in the spirit of classic terminal-based software, we even added an ANSI-art splash screen:
At this point the installer is able to perform a full installation of ((OTRS)) Community Edition version 6.0.32 on CentOS 8, and Ubuntu Server support is in the works. Before the first release, we plan to add support for a few more configurations.
Watch the short video below to get a sneak peek at how the tool works and see
the complete installation process on a plain CentOS 8 machine:
Our plans for further development of the installer include:
Support for more distributions and configurations
Support for different databases
Support for external database servers
Unattended installation mode
With the first release, we will also open source the tool so that the community can participate in its development.
Our 2021 development roadmap has just been updated to reflect some changes to the original timeline that we decided to make.
Most importantly, we have taken more time to work on fixing the security issues both in the base ((OTRS)) Community Edition system, as well as its popular add-ons (namely, new versions of the FAQ and ITSM Configuration Management packages).
The initial idea was to finish the security audit and then release a new version of the software. However, with a number of security issues discovered during the audit, as well as found in other forked versions, we decided it's more important to roll out the security fixes to users as soon as possible rather than wait until the audit is concluded. The result was the recent 6.0.32 release, which saw the light of day last week.
This doesn't mean we made no progress on the items in the roadmap -- here's a few updates on the items planned for the nearest future:
Refreshed agent interface - We are making steady progress on subsequent screens and UI elements of the refreshed interface. The first version to make it into a release is planned for the end of June.
Easier installation and update process - This has been split into separate items and so far most of our focus was on the new installation part, putting updates aside for later. We plan to have a working solution that we can show to the community around mid-June. Expect some more information next week!
Internal security audit - With most of the research work completed, we are in the process of collecting the findings and putting together a report. Our goal is to publish it in the second half of June.
We have just released version 6.0.32 of ((OTRS)) Community Edition.
This is a security release which fixes numerous vulnerabilities discovered during our ongoing security audit, as well as reported in other forked versions of ((OTRS)) Community Edition based on the original project.
We advise all users of previous versions of the software to update to this release to improve the security of their systems and data.
The following security issues are fixed in this release:
A serious Cross-Site Scripting (XSS) vulnerability in ticket overview (identified by Znuny GmbH and Nina Knipprath)
A regular expression-related denial of service (DoS) vulnerability (identified by Znuny GmbH)
Unauthorized listing of ticket recipients via AJAX call (discovered during internal security audit)
Unauthorized access to calendar appointment data (discovered during internal security audit)
Possible agent and customer user account enumeration through password recovery feature (discovered during internal security audit)
Possible agent user account enumeration through public calendar URL (discovered during internal security audit)
A minor reflected XSS issue in appointment edit popup (discovered during internal security audit)
Additionally, a few bundled Perl modules have been updated in this release due to security issues in previously distributed versions:
Continuing our efforts to ensure the security of ((OTRS)) Community Edition, we
have just released a new security fix for one of the popular ITSM packages.
Having just published a fixed version of the FAQ package, the next item on our list was the
ITSMConfigurationManagement package, which was the subject of another
recent security advisory issued by OTRS AG: OSA-2021-07.
Again, the information provided in the advisory wasn't too specific:
Agents are able to see linked Config Items without permissions, which are
defined in General Catalog.
The analysis of the package's source code that we performed revealed that it is
possible for an agent to craft a request for a specific version of the config
item that they should not be allowed to access, but the system will return the
We have implemented a solution and released a new version of the package.
It is available for download as an OPM file in the