CVE-2019-14748

CVE-2019-14748

Requirements

• Non-privileged access to the osTicket instance
  • You simply need to be able to create tickets. Most instances allow anyone to create an account, as long as the email is valid and verified.

Description

This CVE is best exploited by simply logging into the portal, creating a ticket, and attaching the malicious HTML file. CSRF tokens and session cookies would just make an automated tool more of a hassle than it's worth. Once the ticket is created, the attachment can be seen in the description and is accessible by your user, any agents, and any other authenticated users on the site. The payload can either be trigged by waiting for an admin to open the attachment when dealing with the ticket, or sending the unique URL out. Just right click on the payload and copy the link address - as long as the user is logged in on that site, the HTML and JavaScript will be rendered and run.

Notes

• Sometimes, when the attachment is first clicked on, the HTML file is opened in another window, and other times it is downloaded, even with the Content-Disposition set to inline. Not sure why this is happening. However, opening the link in a new tab still works!
  • One way to get past this quirk is to make an initial malicious HTML in one ticket and submit it. Then, get the link for it, create a second ticket with a second malicious HTML document, and inside of this second document, use a payload like <script>window.location="https://first_malicious_link"</script>. This way, even if the second HTML document is downloaded and opened locally on the agent's computer, the redirect will work and by opening the file, the victim will be sent to the first payload which will be executed on the site!
• The session cookies used (OSTSESSION) have HTTPOnly turned on, which means cookie stealing through document.cookie is not possible.

Credits

Based on description found in Exploit-DB, "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload", located here by AISHWARYA IYER.