Improper Restriction of Rendered UI Layers or Frames in osticket/osticket
Sep 20th 2021
The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist.
Proof of Concept
<iframe src="malicious-server]"> will render [malicious-server] site rather than youtube.com bypassing the embedded domain whitelist.[
While not equivalent to an XSS attack due to the Same Origin Policy, this vulnerability can be used to escalate a reflected XSS to a stored XSS. It can also be used to cause phishing attacks through malicious forms hosted on the domain linked by the Iframe element. If the user's browser is vulnerable, it may also cause exploits loaded on the malicious site to potentially harm the user's browser.
The vulnerability occurs from lines 337 to 345 of https://github.com/osTicket/osTicket/blob/cb6766e5e4cdb82bb5e7d7671d41b0a476f61e0a/include/class.format.php. Recommended fix would be to load the domain after the http:// string and properly parse it in a URL parser.