Improper Restriction of Rendered UI Layers or Frames in osticket/osticket

Valid

Reported on

Sep 20th 2021

Description

The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist.

Proof of Concept

<iframe src="http://youtube.com@[malicious-server]"> will render [malicious-server] site rather than youtube.com bypassing the embedded domain whitelist.

Impact

While not equivalent to an XSS attack due to the Same Origin Policy, this vulnerability can be used to escalate a reflected XSS to a stored XSS. It can also be used to cause phishing attacks through malicious forms hosted on the domain linked by the Iframe element. If the user's browser is vulnerable, it may also cause exploits loaded on the malicious site to potentially harm the user's browser.

Recommended Fix

The vulnerability occurs from lines 337 to 345 of https://github.com/osTicket/osTicket/blob/cb6766e5e4cdb82bb5e7d7671d41b0a476f61e0a/include/class.format.php. Recommended fix would be to load the domain after the http:// string and properly parse it in a URL parser.

Occurrences

class.format.php L337L345

Improper checking of whitelist.

Z-Old

commented 2 years ago

Admin

Hey haxatron, I've emailed the repository maintainers for you.

We have contacted a member of the osticket team and are waiting to hear back 2 years ago

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Could you please provide a working example? [malicious-server] isn’t really helpful in the debugging process.

Cheers.

haxatron

commented 2 years ago

Researcher

You can use 127.0.0.1, which means that you can IFrame the internal website, which is something that should not happen due to the embedded domain whitelist

haxatron

commented 2 years ago

Researcher

Additionally, you may host another webserver in the network containing the following HTML

Then replace [malicious-server] with the webserver IP address. You should get an alert popup. Which signifies you can execute arbitrary JavaScript.

But you cannot steal any cookies due to the same origin policy.

Apologies for not being clear earlier.

haxatron

commented 2 years ago

Researcher

This bug occurs because by visiting the URL http://youtube.com@127.0.0.1 for instance, this will resolve to 127.0.0.1 instead of youtube.com.

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Thank you for the information. We will review this and get back to you.

Cheers.

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Please apply the following patch and confirm it mitigates the issue on your side:

diff --git a/include/class.format.php b/include/class.format.php
index e8f4a7c..b6cb23b 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -341,7 +341,7 @@ class Format {
             $config['elements'] = '*+iframe';
             $config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
                 .implode('|', $whitelist)
-                .')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
+                .')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
         }
 
         return Format::html($html, $config);

Cheers.

haxatron

commented 2 years ago

Researcher

Hi there, I have applied the patch fix on my local server and confirmed that it fixes the issue.

Could you validate this report?

Thanks!

A osticket/osticket maintainer validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

A osticket/osticket maintainer

commented 2 years ago

Maintainer

We are awaiting other reported vulnerabilities to be mitigated before we make the patch public and release new versions. I will post the commit hash here once released to the public.

haxatron

commented 2 years ago

Researcher

Hi there, thanks! Can you also review the other report I submitted -https://www.huntr.dev/bounties/5c0c8e35-67f3-4714-834c-e1b90999b29a/

Thanks and regards.

JediKev marked this as fixed with commit 4b4da5 2 years ago

JediKev has been awarded the fix bounty

This vulnerability will not receive a CVE

class.format.php#L337L345 has been validated

to join this conversation

Z-Old

commented 2 years ago

Admin

Hey haxatron, I've emailed the repository maintainers for you.

We have contacted a member of the osticket team and are waiting to hear back 2 years ago

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Could you please provide a working example? [malicious-server] isn’t really helpful in the debugging process.

Cheers.

haxatron

commented 2 years ago

Researcher

You can use 127.0.0.1, which means that you can IFrame the internal website, which is something that should not happen due to the embedded domain whitelist

haxatron

commented 2 years ago

Researcher

Additionally, you may host another webserver in the network containing the following HTML

Then replace [malicious-server] with the webserver IP address. You should get an alert popup. Which signifies you can execute arbitrary JavaScript.

But you cannot steal any cookies due to the same origin policy.

Apologies for not being clear earlier.

haxatron

commented 2 years ago

Researcher

This bug occurs because by visiting the URL http://youtube.com@127.0.0.1 for instance, this will resolve to 127.0.0.1 instead of youtube.com.

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Thank you for the information. We will review this and get back to you.

Cheers.

A osticket/osticket maintainer

commented 2 years ago

Maintainer

@haxatron

Please apply the following patch and confirm it mitigates the issue on your side:

diff --git a/include/class.format.php b/include/class.format.php
index e8f4a7c..b6cb23b 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -341,7 +341,7 @@ class Format {
             $config['elements'] = '*+iframe';
             $config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
                 .implode('|', $whitelist)
-                .')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
+                .')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
         }
 
         return Format::html($html, $config);

Cheers.

haxatron

commented 2 years ago

Researcher

Hi there, I have applied the patch fix on my local server and confirmed that it fixes the issue.

Could you validate this report?

Thanks!

A osticket/osticket maintainer validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

A osticket/osticket maintainer

commented 2 years ago

Maintainer

We are awaiting other reported vulnerabilities to be mitigated before we make the patch public and release new versions. I will post the commit hash here once released to the public.

haxatron

commented 2 years ago

Researcher

Hi there, thanks! Can you also review the other report I submitted -https://www.huntr.dev/bounties/5c0c8e35-67f3-4714-834c-e1b90999b29a/

Thanks and regards.

JediKev marked this as fixed with commit 4b4da5 2 years ago

JediKev has been awarded the fix bounty

This vulnerability will not receive a CVE

class.format.php#L337L345 has been validated

to join this conversation