Improper Restriction of Rendered UI Layers or Frames in osticket/osticket

Valid

Reported on

Sep 20th 2021


Description

The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist.

Proof of Concept

<iframe src="http://youtube.com@[malicious-server]"> will render [malicious-server] site rather than youtube.com bypassing the embedded domain whitelist.

Impact

While not equivalent to an XSS attack due to the Same Origin Policy, this vulnerability can be used to escalate a reflected XSS to a stored XSS. It can also be used to cause phishing attacks through malicious forms hosted on the domain linked by the Iframe element. If the user's browser is vulnerable, it may also cause exploits loaded on the malicious site to potentially harm the user's browser.

Recommended Fix

The vulnerability occurs from lines 337 to 345 of https://github.com/osTicket/osTicket/blob/cb6766e5e4cdb82bb5e7d7671d41b0a476f61e0a/include/class.format.php. Recommended fix would be to load the domain after the http:// string and properly parse it in a URL parser.

Occurrences

Improper checking of whitelist.

Z-Old
a year ago

Admin


Hey haxatron, I've emailed the repository maintainers for you.

We have contacted a member of the osticket team and are waiting to hear back a year ago
osticket/osticket maintainer
a year ago

Maintainer


@haxatron

Could you please provide a working example? [malicious-server] isn’t really helpful in the debugging process.

Cheers.

haxatron
a year ago

Researcher


You can use 127.0.0.1, which means that you can IFrame the internal website, which is something that should not happen due to the embedded domain whitelist

haxatron
a year ago

Researcher


Additionally, you may host another webserver in the network containing the following HTML

<script>alert(document.domain)</script>

Then replace [malicious-server] with the webserver IP address. You should get an alert popup. Which signifies you can execute arbitrary JavaScript.

But you cannot steal any cookies due to the same origin policy.

Apologies for not being clear earlier.

haxatron
a year ago

Researcher


This bug occurs because by visiting the URL http://youtube.com@127.0.0.1 for instance, this will resolve to 127.0.0.1 instead of youtube.com.

osticket/osticket maintainer
a year ago

Maintainer


@haxatron

Thank you for the information. We will review this and get back to you.

Cheers.

osticket/osticket maintainer
a year ago

Maintainer


@haxatron

Please apply the following patch and confirm it mitigates the issue on your side:

diff --git a/include/class.format.php b/include/class.format.php
index e8f4a7c..b6cb23b 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -341,7 +341,7 @@ class Format {
             $config['elements'] = '*+iframe';
             $config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
                 .implode('|', $whitelist)
-                .')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
+                .')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
         }
 
         return Format::html($html, $config);

Cheers.

haxatron
a year ago

Researcher


Hi there, I have applied the patch fix on my local server and confirmed that it fixes the issue.

Could you validate this report?

Thanks!

osticket/osticket maintainer validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
osticket/osticket maintainer
a year ago

Maintainer


We are awaiting other reported vulnerabilities to be mitigated before we make the patch public and release new versions. I will post the commit hash here once released to the public.

haxatron
a year ago

Researcher


Hi there, thanks! Can you also review the other report I submitted -https://www.huntr.dev/bounties/5c0c8e35-67f3-4714-834c-e1b90999b29a/

Thanks and regards.

JediKev confirmed that a fix has been merged on 4b4da5 a year ago
JediKev has been awarded the fix bounty
class.format.php#L337L345 has been validated
to join this conversation