osTicket Exploit 1.10.1 - Unauthenticated XSS to Privilege Escalation

A vulnerability in Enhancesoft’s flagship product osTicket could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code to escalate to admin privileges. os Ticket is a widely-used open source support ticket system written in PHP.

The vulnerability resides in the application which allows an attacker to upload any arbitrary file. An attacker cannot execute a malicious PHP file as the file is stored in the database and not in the application server. Instead, malicious SVG can be stored and executed. As SVG is rendered on the same domain and allows javascript the technique can be used to exploit the vulnerability and use the arbitrary file vulnerability to store XSS payload.

os Ticket vulnerabilities anyone to create a support ticket. And while creating a ticket an attacker can upload the malicious SVG as described above. This is accessible by both customers as well as administrators. Once the admin opens the malicious file, the XSS payload is executed at the admin panel which compromises the integrity. An attacker can inject arbitrary HTML and JavaScript code into the website. This would alter the appearance. And since the application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using document. cookie

(osTicket) Vulnerable Code

Below function, attach() accepts the file without validating it, which allows a user to upload an attacker to upload any arbitrary file.

1

 

Function download() fetches the file along with the mentioned headers. In the below code snippet, the disposition is passed to the download function and in the case of an SVG inline is passed instead of the default value attachment.

 

2-38437

 

Here, session_set_cookie_params lacks the HttpOnly flag, allowing any JavaScript to access the cookie.

 

3

 

Proof of Concept

4
 

When creating a new ticket a user can upload images. Since no restriction is implemented on filetype an attacker can upload an arbitrary file, here it is an SVG with malicious JavaScript.

 

5
 

As the Content-Disposition for SVG is inline the file is rendered by the browser instead of downloading it.

Additionally, Cookie is not marked HttpOnly as discussed previously. This can allow an attacker to fetch the session cookie of a user.

6
 

The ticket is accessible by admin and thus after clicking on the file the SVG is rendered on the browser and the admin user’s session is compromised.

Vendor Confirmed: Yes

Version: 1.10.1

Solution: Update to the latest version

Fixed Version: 1.10.2 or later.

Vendor URL: https://osticket.com/

 

Published on Aug 14, 2019
Abhinav Vasisth
Written by Abhinav Vasisth
Abhinav Vasisth is a certified ethical hacker and the security research lead at Appknox, a mobile security suite that helps enterprises automate mobile security. Abhinav has been a critical member of Appknox for 5 years, reinventing the standards of mobile app security against evolving threats. He is highly regarded in the industry for his expertise, speaks at various security conferences like PHDays, and has collaborated with numerous enterprises to safeguard their digital assets.
When he's not outsmarting hackers, he listens to metal music or is lost in books.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now