Description

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.

In this specific case, following agent authentication and regardless of administrative privileges, it’s possible to navigate the advanced ticket search functionality from scp/tickets.php. It presents a drop-down list of searches defined as options by some integers, used as incremental numeric identifiers, correlated to the parent_id and pid GET parameters.

By closing the <input> tag that expects the above-mentioned integer in reference to the selected parent_id or pid, it’s possible to insert javascript content, which can be used to make the victim user execute malicious client-side code.

Proof of Concept (exploiting parent_id GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//

Proof of Concept (exploiting pid GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb