A vulnerability in Enhancesoft’s flagship product osTicket could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code to escalate to admin privileges. os Ticket is a widely-used open source support ticket system written in PHP.

The vulnerability resides in the application which allows an attacker to upload any arbitrary file. An attacker cannot execute a malicious PHP file as the file is stored in the database and not in the application server. Instead, malicious SVG can be stored and executed. As SVG is rendered on the same domain and allows javascript the technique can be used to exploit the vulnerability and use the arbitrary file vulnerability to store XSS payload.

os Ticket vulnerabilities anyone to create a support ticket. And while creating a ticket an attacker can upload the malicious SVG as described above. This is accessible by both customers as well as administrators. Once the admin opens the malicious file, the XSS payload is executed at the admin panel which compromises the integrity. An attacker can inject arbitrary HTML and JavaScript code into the website. This would alter the appearance. And since the application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using document. cookie

(osTicket) Vulnerable Code

Below function, attach() accepts the file without validating it, which allows a user to upload an attacker to upload any arbitrary file.

Function download() fetches the file along with the mentioned headers. In the below code snippet, the disposition is passed to the download function and in the case of an SVG inline is passed instead of the default value attachment.

Here, session_set_cookie_params lacks the HttpOnly flag, allowing any JavaScript to access the cookie.

Proof of Concept

When creating a new ticket a user can upload images. Since no restriction is implemented on filetype an attacker can upload an arbitrary file, here it is an SVG with malicious JavaScript.