lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAK9-XBrRZtnmBbtBJikFj3NjYEs7ZmvAYfTx=2w3VggWZ+oR5g@mail.gmail.com>
Date: Thu, 4 Feb 2016 11:01:57 +0100
From: Giovanni Cerrato <cerratogianni@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] osTicket multiple vulnerabilities

=============================================
- Release date: February 04th, 2016
- Discovered by: Giovanni Cerrato and Enrico Cinquini
- Severity: High
=============================================

 I. VULNERABILITY
-------------------------

osTicket multiple vulnerabilities.


 II. INTRODUCTION
-------------------------

Last version of osTicket (v1.9.12) is affected by multiple vulnerabilities.

 III. DESCRIPTION
-------------------------

1) UPLOAD HTML FILE

It is possible to upload files attached to a ticket at URL:
https://hostname/upload/open.php
There are some controls to block not allowed file (e.g php,html) but they
are only client-side and not server-side so they can be easily bypassed
using tool like Burp suite.They will be uploaded and reachable at specific
URL like the following example:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d

This vulnerability could be used for example to perform XSS attack or to
upload a fake login page.

2) MISSIMG FUNCTION LEVEL ACCESS CONTROL

It is possible to access to some contents of the web application without
authentication. It is allowed to view all ticket attachment only by calling
their URLs like following:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d
.
This vulnerability combined with unrestricted HTML upload can be used to
realize phishing and/or XSS attack via email. To achieve this tasks anyone
needs to upload an HTML file containing malicious Javascript or phishing
page and then spread the associated URL.


3) STORED CROSS SITE SCRITPING

The application is vulnerable to some stored XSS attack.

URL: https://hostname/scp/users.php
Functionality: Add User
Form parameter affected: Internal Notes

URL: https://hostname/scp/orgs.php
Functionality: Add Organization
Form parameter affected: Name, Internal Notes

URL https://hostname/scp/categories.php
Functionality: Add New Category
Form parameter affected: Category Description, Internal Notes

URL https://hostname/scp/departments.php
Functionality: Add New Department
Form parameter affected: Department Signature

URL: https://hostname/scp/teams.php
Functionality: Add New Team
Form parameter affected: Admin Notes, Name

URL: https://hostname/scp/groups.php
Functionality: Add New Group
Form parameter affected: Admin Notes

URL: https://hostname/scp/banlist.php
Functionality: Ban New Email
Form parameter affected: Admin Notes

URL: https://hostname/scp/profile.php
Functionality: Edit profile
Form parameter affected: Signature

A proof of concept can be obtained using the following Javascript code:
<IFRAME onload=alert(1);></IFRAME>


4) SESSION FIXATION

The application does not regenerate session id cookie (OSTSESESSID) after
authentication so it is prone to session fixation attack. This
vulnerability can be used to hijack a valid user session.


 IV. BUSINESS IMPACT
-------------------------

An attacker could upload malicious file, hijack a valid user session,
perform XSS or phishing attacks and access to sensible information.


 V. SYSTEMS AFFECTED
-------------------------

Version 1.9.12 is vulnerable.


 VI. SOLUTION
-------------------------

It's necessary to:

- implement a strong upload filter to prevent the upload of malicious file

- implement an input validation mechanism to avoid being vulnerable to XSS
injection

- review and correct access control to prevent that unauthenticated users
can access to sensible documents


 VII. REFERENCES
-------------------------

osticket website:

http://osticket.com/


 VIII. CREDITS
-------------------------

The vulnerability has been discovered by:

Giovanni Cerrato cerrato(dot)gianni(at)gmail(dot)com
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com


 IX. ADVISORY TIMELINE
-------------------------

November 10th, 2015: Vulnerability identification
November 17th, 2015: First contact with vendor
November 19th, 2015: Vendor notified
November 25th, 2015: Asking for status update
November 30th, 2015: Vendor response; investigating
December 16th, 2015: Asking for status update
December 18th, 2015: Vendor says that the vulnerabilities will be fixed in
the new version
January  11th, 2016: Provided more details to vendor
January  25th, 2016: Asking for status update
February 02th, 2016: Advised vendor public disclosure date will be February
04th
February 02th, 2016: Vendor provides status update(still investigating)
February 04th, 2016: Public disclosure


 X. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ