Reflected XSS in Advanced Ticket Search in osticket/osticket

Valid

Reported on

Dec 6th 2022


Description

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

In this specific case, following agent authentication and regardless of administrative privileges, it's possible to navigate the advanced ticket search functionality from scp/tickets.php. It presents a drop-down list of searches defined as options by some integers, used as incremental numeric identifiers, correlated to the parent_id and pid GET parameters.

By closing the <input> tag that expects the above-mentioned integer in reference to the selected parent_id or pid, it's possible to insert javascript content, which can be used to make the victim user execute malicious client-side code.

Proof of Concept (exploiting parent_id GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//

Proof of Concept (exploiting pid GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can perform any action within the application that the user can perform, view any information that the user is able to view, modify any information that the user is able to modify or initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Ideally, in this practical example, the victim user of this attack is represented by another osTicket agent, regardless of administrative privileges. Thus, the impact would be considered higher in the case where a malicious agent succeeds in getting a second agent, the victim, who instead possesses higher privileges, to execute malicious javascript code.

Occurrences

Unsanitized pid GET parameter in osTicket/include/ajax.search.php.

Proof of Concept (exploiting pid GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb

Unsanitized parent_id GET parameter in osTicket/include/ajax.search.php.

Proof of Concept (exploiting parent_id GET parameter):

http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//

We are processing your report and will contact the osticket team within 24 hours. 4 months ago
Samuele Gugliotta modified the report
4 months ago
Samuele Gugliotta modified the report
4 months ago
We have contacted a member of the osticket team and are waiting to hear back 3 months ago
Samuele Gugliotta modified the report
3 months ago
Samuele
3 months ago

Researcher


Included another occurrence affecting pid GET parameter on osTicket/include/ajax.search.php along with its related additional PoC that will trigger the second XSS.

JediKev
2 months ago

Maintainer


@

Can you please apply the below patch and let us know if this fully mitigates the vulnerability?

diff --git a/include/ajax.search.php b/include/ajax.search.php
index 56c0f332..25756414 100644
--- a/include/ajax.search.php
+++ b/include/ajax.search.php
@@ -31,7 +31,7 @@ class SearchAjaxAPI extends AjaxController {
         $search = new AdhocSearch(array(
             'root' => 'T',
             'staff_id' => $thisstaff->getId(),
-            'parent_id' => @$_GET['parent_id'] ?: 0,
+            'parent_id' => (int) @$_GET['parent_id'] ?: 0,
         ));
         if ($search->parent_id) {
             $search->flags |= SavedSearch::FLAG_INHERIT_COLUMNS;
@@ -168,7 +168,7 @@ class SearchAjaxAPI extends AjaxController {
                     'title' => __('Add Queue'),
                     'root' => 'T',
                     'staff_id' => $thisstaff->getId(),
-                    'parent_id' =>  $_GET['pid'],
+                    'parent_id' => (int) $_GET['pid'],
                     ));
         $this->_tryAgain($search);
     }
diff --git a/include/staff/templates/advanced-search.tmpl.php b/include/staff/templates/advanced-search.tmpl.php
index 7bfc8bc2..a9b3167e 100644
--- a/include/staff/templates/advanced-search.tmpl.php
+++ b/include/staff/templates/advanced-search.tmpl.php
@@ -1,9 +1,9 @@
 <?php
 global $thisstaff;
 
-$parent_id = (isset($_REQUEST['parent_id']) && is_numeric($_REQUEST['parent_id']))
+$parent_id = (int) ((isset($_REQUEST['parent_id']) && is_numeric($_REQUEST['parent_id']))
         ? $_REQUEST['parent_id']
-        : $search->parent_id;
+        : $search->parent_id);
 if ($parent_id
     && is_numeric($parent_id)
     && (!($parent = SavedQueue::lookup($parent_id)))

Cheers.

Samuele
2 months ago

Researcher


Hi @JediKev. Fix looks great! After applying it, I'm no longer able to reproduce the issue, both on pid and parent_id.

Samuele
13 days ago

Researcher


Hey @JediKev. Now that the osTicket version v1.16.6/v1.17.3 has been released can this report and the others kindly be validated? It would be great to request some CVEs assignment to them. Thank you!

JediKev validated this vulnerability 12 days ago
Samuele Gugliotta has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
JediKev marked this as fixed in v1.16.6 with commit ec6043 12 days ago
JediKev has been awarded the fix bounty
This vulnerability has been assigned a CVE
JediKev published this vulnerability 12 days ago
ajax.search.php#L34 has been validated
ajax.search.php#L171 has been validated
to join this conversation