menu
close_24px

BLOG

osTicket Exploit 1.10.1 - Unauthenticated XSS to Privilege Escalation

A vulnerability in osTicket was found that allowed an unauthenticated remote attacker to execute arbitrary JavaScript code to escalate to admin privileges
  • Posted on: Aug 14, 2019
  • By Abhinav Vasisth
  • Read time 1 Min
  • Last updated on: May 13, 2024

A vulnerability in Enhancesoft’s flagship product osTicket could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code to escalate to admin privileges. os Ticket is a widely-used open source support ticket system written in PHP.

The vulnerability resides in the application which allows an attacker to upload any arbitrary file. An attacker cannot execute a malicious PHP file as the file is stored in the database and not in the application server. Instead, malicious SVG can be stored and executed. As SVG is rendered on the same domain and allows javascript the technique can be used to exploit the vulnerability and use the arbitrary file vulnerability to store XSS payload.

os Ticket vulnerabilities anyone to create a support ticket. And while creating a ticket an attacker can upload the malicious SVG as described above. This is accessible by both customers as well as administrators. Once the admin opens the malicious file, the XSS payload is executed at the admin panel which compromises the integrity. An attacker can inject arbitrary HTML and JavaScript code into the website. This would alter the appearance. And since the application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using document. cookie

(osTicket) Vulnerable Code

Below function, attach() accepts the file without validating it, which allows a user to upload an attacker to upload any arbitrary file.

1

 

Function download() fetches the file along with the mentioned headers. In the below code snippet, the disposition is passed to the download function and in the case of an SVG inline is passed instead of the default value attachment.

 

2-38437

 

Here, session_set_cookie_params lacks the HttpOnly flag, allowing any JavaScript to access the cookie.

 

3

 

Proof of Concept

4
 

When creating a new ticket a user can upload images. Since no restriction is implemented on filetype an attacker can upload an arbitrary file, here it is an SVG with malicious JavaScript.

 

5
 

As the Content-Disposition for SVG is inline the file is rendered by the browser instead of downloading it.

Additionally, Cookie is not marked HttpOnly as discussed previously. This can allow an attacker to fetch the session cookie of a user.

6
 

The ticket is accessible by admin and thus after clicking on the file the SVG is rendered on the browser and the admin user’s session is compromised.

Vendor Confirmed: Yes

Version: 1.10.1

Solution: Update to the latest version

Fixed Version: 1.10.2 or later.

Vendor URL: https://osticket.com/

 
XSS application security security Vulnerability
Abhinav Vasisth is a certified ethical hacker and the security research lead at Appknox, a mobile security suite that helps enterprises automate mobile security. Abhinav has been a critical member of Appknox for 5 years, reinventing the standards of mobile app security against evolving threats. He is highly regarded in the industry for his expertise, speaks at various security conferences like PHDays, and has collaborated with numerous enterprises to safeguard their digital assets.
When he's not outsmarting hackers, he listens to metal music or is lost in books.

Subscribe now for growth-boosting insights from Appknox

We have so many ideas for new features that can help your mobile app security even more efficiently. We promise you that we wont mail bomb you, just once in a month.