A vulnerability in Enhancesoft’s flagship product osTicket was found that could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code to escalate to admin privileges. osTicket is a widely-used open source support ticket system written in PHP.

The vulnerability resides in the application which allows an attacker to upload any arbitrary file. As the file is stored in the database and not in the application server, an attacker cannot execute a malicious PHP file. Instead, malicious SVG can be stored and executed. As SVG is rendered on the same domain and allows javascript the technique can be used to exploit the vulnerability and use the arbitrary file vulnerability to store XSS payload.

osTicket allows anyone to create a support ticket. And while creating a ticket an attacker can upload the malicious SVG as described above. This is accessible by both customers as well as administrators. Once the admin opens the malicious file, the XSS payload is executed at the admin panel which compromises the integrity. An attacker can inject arbitrary HTML and JavaScript code into the web site. This would alter the appearance. And since the application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using document.cookie

Vulnerable Code

Below function attach() accepts the file without validating it. Which allows a user to upload an attacker to upload any arbitrary file.



Function download() fetches the file along the mentioned headers. In the below code snippet, the disposition is passed to the download function and in case of an SVG inline is passed instead of default value attachment.




Here, session_set_cookie_params lacks HttpOnly flag which allows any JavaScript to access the cookie.




Proof of Concept



When creating a new ticket a user can upload images. Since no restriction is implemented on filetype an attacker can upload an arbitrary file, here it is an SVG with malicious JavaScript.



As the Content-Disposition for SVG is inline the file is rendered by the browser instead of downloading it.

Additionally, Cookie is not marked HttpOnly as discussed previously. This can allow an attacker to fetch the session cookie of a user.


The ticket is accessible by admin and thus after clicking on the file the SVG is rendered on the browser and the admin user’s session is compromised.

Vendor Confirmed: Yes

Version: 1.10.1

Solution: Update to the latest version

Fixed Version: 1.10.2 or later.

Vendor URL: https://osticket.com/


Topics: XSS, application security, Vulnerability

Recent Posts