New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue - Download attachments submitted by others #2615

Closed
fabiopires opened this Issue Oct 2, 2015 · 6 comments

Comments

Projects
None yet
4 participants
@fabiopires

fabiopires commented Oct 2, 2015

Hey,

I would like to report a security issue in both of your osticket's last versions.

Usually i report privately via email, but the support team told me to report it to your github project page and here i am.

This kind of vulnerability is called "Insecure Direct Object Reference" and in the case of osTicket, you can access every file attached to a ticket that has been uploaded to the server.

This may lead to information disclosure of private data / data theft.

Proof of concept:

First of all you need to create a new ticket, select a file to attach and leave at least one field empty

1

After you submit your 'invalid' ticket, you get an error about "missing data".
You can notice that the attached file is now a link and you can download it.

2

Meanwhile, an ajax request (POST) was sent to the server.
This request uploads the file to the server and the server will reply with an ID.
Another request is sent to the server in order to associate the previous ID to the ticket that you're submiting. (next image, id 10)

3
4

As you can see in the previous request, the ID: 10 was sent as an attachment to your ticket.
When you submit this request, the server will reply with the file name associated to ID:10 and the download_url.
5

Automating this process, by sending the attach id starting from 1 to 10 (last generated id), you get all the files uploaded to the server, with the respective download url.
6

As this is not the correct behavior (i hope.. ) i'm reporting it to you in order to get it fixed :)
If you have new any addictional info please let me know.

Some references:
https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

@greezybacon

This comment has been minimized.

Member

greezybacon commented Oct 3, 2015

Very interesting. Thank you

@protich protich self-assigned this Oct 3, 2015

greezybacon added a commit to greezybacon/osTicket-1.8 that referenced this issue Oct 3, 2015

files: Only allow files uploaded in this session
This fixes a security issue where, by crafting a special POST request to the
client open.php page, an (unauthenticated) user could get a URL link to
access to any attachment already uploaded in the system by guessing or
brute-forcing the file's ID number.

This patch addresses the issue by registering the uploaded file's ID in the
current user's session. When processing the list of file ID's attached to
the FileUploadField, the files must already have been attached to the field
or have been newly attached in the current session.

Fixes osTicket#2615

References:
"Security issue - Download attachments submitted by others"
osTicket#2615
@greezybacon

This comment has been minimized.

Member

greezybacon commented Oct 3, 2015

@fabiopires would you be able to re-test with the patch in #2618. Using Firefox I was able to resend a POST like what you described and it seems fixed. Also, my initial tests seem to show that the system seems to work correctly with the fields in the thread-entry widget like you depict as well as with the "File Upload" field used separately in various other forms.

@fabiopires

This comment has been minimized.

fabiopires commented Oct 5, 2015

Nice, it's solved. Nice work.
We will be requesting a CVEs for this vulnerability and later create a blog post for it (https://labs.integrity.pt/)

To disclosure this vuln with responsability, we wanted to ask you when the last version will become public ?

Please let us known in order to respect some time to let all users update their versions. :)

In our blog we will credit your excelent dev team for being so fast answering us in order to solve everything quick as possible.

Regards

@protich protich closed this in #2618 Oct 5, 2015

@fabiopires

This comment has been minimized.

fabiopires commented Feb 3, 2016

Btw, this issue still works on the last version available on osticket's website. (http://osticket.com/download/go?dl=osTicket-v1.9.12.zip).

Regards

@ntozier

This comment has been minimized.

Contributor

ntozier commented Feb 3, 2016

@fabiopires did you apply the patch?

1.9.12 was released on Aug 19, 2015 which was before this issue was reported.

@fabiopires

This comment has been minimized.

fabiopires commented Feb 3, 2016

@ntozier hmm, sorry, you are right.

Didn't notice that. I thought the last version available for download on the official website was already patched.

My bad. ok :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment