Last modified: 2014-08-31 00:53:03 UTC
This is a migration from <https://otrs-wiki.wikimedia.org/wiki/OTRS_technical_challenges>. Attached images are sent with a content-disposition header so that they cannot be viewed in the browser, only downloaded. It is a slight inconvenience only, but also an easy fix, I presume. ---- Looking around, this could be because http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2005-01/ of the security vulnerability way back in 2005. However, as we are on a more recent version, this shouldn't be problem. I believe the configuration needs to be changed from: AttachmentDownloadType is set to "attachment". to (AttachmentDownloadType = "inline") (the default configuration). This could be something in the admin interface?
Yes, seems to be a configuration issue, according to http://doc.otrs.org/2.4/en/html/a2982.html B.1.25.14. AttachmentDownloadType : "Allows choosing between showing the attachments of a ticket in the browser (inline) or just make them downloadable (attachment)."
Unfortunately, this is still a bit of a risk. Most browsers still do some content sniffing, so what OTRS did with the patch is still the right thing to do. MediaWiki itself has extensive filtering against these types of attacks, by not allowing files that would trigger these attacks to be uploaded. The alternative is to either filter the incoming attachments, or serve them from an alternate domain name.
Thanks for explaining. Decreasing priority again for security reasons, unfortunately.