============================================= - Release date: February 04th, 2016 - Discovered by: Giovanni Cerrato and Enrico Cinquini - Severity: High ============================================= I. VULNERABILITY ------------------------- osTicket multiple vulnerabilities. II. INTRODUCTION ------------------------- Last version of osTicket (v1.9.12) is affected by multiple vulnerabilities. III. DESCRIPTION ------------------------- 1) UPLOAD HTML FILE It is possible to upload files attached to a ticket at URL: https://hostname/upload/open.php There are some controls to block not allowed file (e.g php,html) but they are only client-side and not server-side so they can be easily bypassed using tool like Burp suite.They will be uploaded and reachable at specific URL like the following example: https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d This vulnerability could be used for example to perform XSS attack or to upload a fake login page. 2) MISSIMG FUNCTION LEVEL ACCESS CONTROL It is possible to access to some contents of the web application without authentication. It is allowed to view all ticket attachment only by calling their URLs like following: https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d . This vulnerability combined with unrestricted HTML upload can be used to realize phishing and/or XSS attack via email. To achieve this tasks anyone needs to upload an HTML file containing malicious Javascript or phishing page and then spread the associated URL. 3) STORED CROSS SITE SCRITPING The application is vulnerable to some stored XSS attack. URL: https://hostname/scp/users.php Functionality: Add User Form parameter affected: Internal Notes URL: https://hostname/scp/orgs.php Functionality: Add Organization Form parameter affected: Name, Internal Notes URL https://hostname/scp/categories.php Functionality: Add New Category Form parameter affected: Category Description, Internal Notes URL https://hostname/scp/departments.php Functionality: Add New Department Form parameter affected: Department Signature URL: https://hostname/scp/teams.php Functionality: Add New Team Form parameter affected: Admin Notes, Name URL: https://hostname/scp/groups.php Functionality: Add New Group Form parameter affected: Admin Notes URL: https://hostname/scp/banlist.php Functionality: Ban New Email Form parameter affected: Admin Notes URL: https://hostname/scp/profile.php Functionality: Edit profile Form parameter affected: Signature A proof of concept can be obtained using the following Javascript code: 4) SESSION FIXATION The application does not regenerate session id cookie (OSTSESESSID) after authentication so it is prone to session fixation attack. This vulnerability can be used to hijack a valid user session. IV. BUSINESS IMPACT ------------------------- An attacker could upload malicious file, hijack a valid user session, perform XSS or phishing attacks and access to sensible information. V. SYSTEMS AFFECTED ------------------------- Version 1.9.12 is vulnerable. VI. SOLUTION ------------------------- It's necessary to: - implement a strong upload filter to prevent the upload of malicious file - implement an input validation mechanism to avoid being vulnerable to XSS injection - review and correct access control to prevent that unauthenticated users can access to sensible documents VII. REFERENCES ------------------------- osticket website: http://osticket.com/ VIII. CREDITS ------------------------- The vulnerability has been discovered by: Giovanni Cerrato cerrato(dot)gianni(at)gmail(dot)com Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com IX. ADVISORY TIMELINE ------------------------- November 10th, 2015: Vulnerability identification November 17th, 2015: First contact with vendor November 19th, 2015: Vendor notified November 25th, 2015: Asking for status update November 30th, 2015: Vendor response; investigating December 16th, 2015: Asking for status update December 18th, 2015: Vendor says that the vulnerabilities will be fixed in the new version January 11th, 2016: Provided more details to vendor January 25th, 2016: Asking for status update February 02th, 2016: Advised vendor public disclosure date will be February 04th February 02th, 2016: Vendor provides status update(still investigating) February 04th, 2016: Public disclosure X. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.