Back in 2015, while navigating in the interwebz, I came across a product called osTicket. osTicket was announced as a widely-used and trusted open source support ticket system. It seamlessly routed inquiries created via email, web-forms and phone calls into a simple, easy-to-use, multi-user, web-based customer support platform.
This software was also used by IPLeiria (my college in that period), so the challenge of pwning it increased a little bit. (No, Mr. agent, I didn’t hack into my school. You can go now. )
After downloading the latest version to a VM and realise how it works, I was able to discover an Insecure Direct Object Reference vulnerability.
Proof of concept
The software was simple. In this case, a simple web form that allowed me to create tickets and attach files to them.
While I was intercepting the traffic, I noticed that it was possible to submit tickets with an empty
Issue Summary field, but a file attached to the form. Although the software returned an error message saying
Issue Summary is a required field, the file was still uploaded, and an attach ID was still assigned to it.
In the error page above, I noticed that the attached file was a hyperlink, and this hyperlink allowed me to download the file. The URL was composed by three parameters: the
expiration and a
signature. Without this parameters, it would not be possible to download this file.
A close look at the intercepted traffic revealed two different
POST requests. The first was responsible for sending the file to the server, returning the ID associated with that file. (In this case, the ID was 10)
The second request associated the ID (10), to the draft ticket that was being created. The image below shows an extract of the
POST request described above.
Automating this process using Burp Intruder, it was possible to send multiple request with different ID’s, and obtain all the files uploaded to the server.
It should also be noted that this vulnerability was exploited without authentication and, as it was a draft ticket, there was a huge possibility that this attack would be invisible to the support team.
Furthermore, there’s a high probability that ticket attachments contained sensitive information to the user, increasing the impact of this issue.
- September 30, 2015 — “Where to report” mail sent to osTicket
- October 02, 2015 — osTicket’s SupportSystem Team reply with: “Thanks for your email. You can report any findings on our GitHub project page. Thanks! ”
- October 02, 2015 — Bug reported to osTicket’s github project page.
- October 03, 2015 — Bug fixed.
- October 04, 2015 — Fix merged to dev release.
- October 04, 2015 — Public disclosure.
- 1.9.x (until 1.9.13)
Fixed in version 1.9.13