Reflected XSS in Advanced Ticket Search in osticket/osticket
Reported on
Dec 6th 2022
Description
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
In this specific case, following agent authentication and regardless of administrative privileges, it's possible to navigate the advanced ticket search functionality from scp/tickets.php. It presents a drop-down list of searches defined as options by some integers, used as incremental numeric identifiers, correlated to the parent_id and pid GET parameters.
By closing the <input> tag that expects the above-mentioned integer in reference to the selected parent_id or pid, it's possible to insert javascript content, which can be used to make the victim user execute malicious client-side code.
Proof of Concept (exploiting parent_id GET parameter):
http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//
Proof of Concept (exploiting pid GET parameter):
http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can perform any action within the application that the user can perform, view any information that the user is able to view, modify any information that the user is able to modify or initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Ideally, in this practical example, the victim user of this attack is represented by another osTicket agent, regardless of administrative privileges. Thus, the impact would be considered higher in the case where a malicious agent succeeds in getting a second agent, the victim, who instead possesses higher privileges, to execute malicious javascript code.
Occurrences
ajax.search.php L171
Unsanitized pid GET parameter in osTicket/include/ajax.search.php.
Proof of Concept (exploiting pid GET parameter):
http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb
ajax.search.php L34
Unsanitized parent_id GET parameter in osTicket/include/ajax.search.php.
Proof of Concept (exploiting parent_id GET parameter):
http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//
Included another occurrence affecting pid GET parameter on osTicket/include/ajax.search.php along with its related additional PoC that will trigger the second XSS.
@
Can you please apply the below patch and let us know if this fully mitigates the vulnerability?
diff --git a/include/ajax.search.php b/include/ajax.search.php
index 56c0f332..25756414 100644
--- a/include/ajax.search.php
+++ b/include/ajax.search.php
@@ -31,7 +31,7 @@ class SearchAjaxAPI extends AjaxController {
$search = new AdhocSearch(array(
'root' => 'T',
'staff_id' => $thisstaff->getId(),
- 'parent_id' => @$_GET['parent_id'] ?: 0,
+ 'parent_id' => (int) @$_GET['parent_id'] ?: 0,
));
if ($search->parent_id) {
$search->flags |= SavedSearch::FLAG_INHERIT_COLUMNS;
@@ -168,7 +168,7 @@ class SearchAjaxAPI extends AjaxController {
'title' => __('Add Queue'),
'root' => 'T',
'staff_id' => $thisstaff->getId(),
- 'parent_id' => $_GET['pid'],
+ 'parent_id' => (int) $_GET['pid'],
));
$this->_tryAgain($search);
}
diff --git a/include/staff/templates/advanced-search.tmpl.php b/include/staff/templates/advanced-search.tmpl.php
index 7bfc8bc2..a9b3167e 100644
--- a/include/staff/templates/advanced-search.tmpl.php
+++ b/include/staff/templates/advanced-search.tmpl.php
@@ -1,9 +1,9 @@
<?php
global $thisstaff;
-$parent_id = (isset($_REQUEST['parent_id']) && is_numeric($_REQUEST['parent_id']))
+$parent_id = (int) ((isset($_REQUEST['parent_id']) && is_numeric($_REQUEST['parent_id']))
? $_REQUEST['parent_id']
- : $search->parent_id;
+ : $search->parent_id);
if ($parent_id
&& is_numeric($parent_id)
&& (!($parent = SavedQueue::lookup($parent_id)))
Cheers.
Hi @JediKev. Fix looks great! After applying it, I'm no longer able to reproduce the issue, both on pid and parent_id.
Hey @JediKev. Now that the osTicket version v1.16.6/v1.17.3 has been released can this report and the others kindly be validated? It would be great to request some CVEs assignment to them. Thank you!