CVE-2020–24881: Server Side Request Forgery in OsTicket
Server Side Request Forgery in OsTicket
Hello guys, I hope everyone is doing great! A little introduction about me, My name is Talat Mehmood and I’m an active bounty hunter, Freelancer and Penetration tester since 2017.
While working on a Penetration Testing Project (let’s say abc company), I came across their support portal. They were using OsTicket 1.12.x. On digging further, I discovered that “Print” module is vulnerable to Server Side Request Forgery (SSRF). I’ll try to keep this writeup as simple as possible.
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing
“osTicket is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. Manage, organize and archive all your support requests and responses in one place.”
Exploiting CVE-2020–24881
- Login to the osticket customer portal.
- Click on any ticket [Open or Closed].
- In “Post a Reply” section, click on HTML Editor.
- I tried different HTML elements like iframe and embed but none of them worked. :( Try using following payload:
<img src=“https://attacker.com”>
5. Post Reply and then click on “Print” button and TA-DAA!
6. You’ll receive a request from the internal IP of victim machine. I used BurpSuite’s collaborator server and below is the output:
Impact
Burp Suite and Acunetix labels SSRF as “High”. In this case, we can’t see an internal resource from victim server since the requested resource will be opened in an image element. However, we can perform port scanning and other SSRF Exploits. For more details about SSRF, please visit following URL:
Patch
Upgrade to latest version of osticket ( version > v1.14.2) from vendor website.
Thanks for reading this write-up!
If you liked my write-up please hit 👏 & share with your friends which will encourage me to publish more Infosec write-ups in future.
Linkedin: https://www.linkedin.com/in/talat-mehmood-1a10b2142/
Twitter: https://twitter.com/Blackbatsecuri1