Multiple persistent Cross-Site Scripting vulnerabilities in osTicket

Abstract

Two persistent Cross-Site Scripting vulnerabilities have been found in osTicket. These issues exists due to the lack of output encoding on user input. These vulnerabilities allow an attacker to inject malicious JavaScript code into the application. This code will then be executed within the browser of a user who views the dashboard. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf.

Tested versions

These issues were successfully tested on osTicket version 1.9.12.

Fix

osTicket version 1.9.15 and osTicket version 1.10 are released that address these vulnerabilities.

Introduction

osTicket is a widely-used and open-source support ticket system. It routes inquiries created via email, web-forms and phone calls into a simple, easy-to-use, multi-user, web-based customer support platform.

Two persistent Cross-Site Scripting vulnerabilities have been found in the system log dashboard of osTicket. These issues exists due to the lack of output encoding on user input and allow an attacker to inject malicious JavaScript code into the application.

Details

The first issue is located in the file include/staff/header.inc.php and exists due to the fact that the Helpdesk name/title lacks encoding.

<head>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<meta http-equiv="cache-control" content="no-cache" />
	<meta http-equiv="pragma" content="no-cache" />
	<meta http-equiv="x-pjax-version" content="<?php echo GIT_VERSION; ?>">
	<title><?php **echo ($ost && ($title=$ost->getPageTitle()))?$title:'osTicket :: '.__('Staff Control Panel');** ?></title>

The second vulnerability exists because of the lack of output encoding on the X-Forwarded-For HTTP header. When sending a request with a malicious value in the X-Forwarded-For HTTP header to osTicket, this value will be displayed in the system log dashboard. If script code is added to the X-Forwarded-For HTTP header such code will be injected into the dashboard.

include/staff/ticket-view.inc.php:

<tr>
	<th><?php echo __('Source'); ?>:</th>
	<td><?php
			echo Format::htmlchars($ticket->getSource());
			if (!strcasecmp($ticket->getSource(), 'Web') && $ticket->getIP())
			**echo '&nbsp;&nbsp; <span class="faded">('.$ticket->getIP().')</span>';**
			?>
	</td>
</tr>

include/staff/syslogs.inc.php:

<tr id="<?php echo $row['log_id']; ?>">
	<td align="center" nowrap>
		<input type="checkbox" class="ckb" name="ids[]" value="<?php echo $row['log_id']; ?>"
			<?php echo $sel?'checked="checked"':''; ?>> </td>
	<td>&nbsp;<a class="tip" href="#log/<?php echo $row['log_id']; ?>"><?php echo Format::htmlchars($row['title']); ?></a></td>
	<td><?php echo $row['log_type']; ?></td>
	<td>&nbsp;<?php echo Format::daydatetime($row['created']); ?></td>
	<td><?php **echo $row['ip_address'];** ?></td>
</tr>

These vulnerabilities allow an attacker to inject malicious JavaScript code into the application. This code will then be executed within the browser of a user who views the dashboard. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf.

Vragen of feedback?