Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xss: XSS To LFI Vulnerability #4869

Merged
merged 1 commit into from Apr 24, 2019

Conversation

JediKev
Copy link
Member

@JediKev JediKev commented Apr 24, 2019

This addresses a vulnerability found by AkkuS where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack. The issue stems from the system returning the unformatted file contents in an error message when uploading a CSV to the User Importer. This formats the contents before uploading so that if the contents are returned in an error message they will not be executed by the browser which therefore prevents XSS attempts and the possibility of an LFI attack. This also formats all the user-created data sent to ImportError to prevent the same issue.

This addresses a vulnerability found by [AkkuS CW](https://pentest.com.tr)
where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack.
The issue stems from the system returning the unformatted file contents in
an error message when uploading a CSV to the User Importer. This formats the
contents before uploading so that if the contents are returned in an error
message they will not be executed by the browser which therefore prevents
XSS attempts and the possibility of an LFI attack. This also formats all the
user-created data sent to ImportError to prevent the same issue.
@protich protich merged commit 9effd2b into osTicket:develop Apr 24, 2019
hejamu pushed a commit to physcip/osTicket that referenced this issue Jul 20, 2019
osTicket v1.10.6

Maintenance release for osTicket 1.10

=== Enhancements
* issue: Upgrader Wrong Guide Link (osTicket#4739)
* iframe: Allow Multiple iFrame Domains (osTicket#4781)
* issue: Strip Emoticons (osTicket#4523)

=== Improvements
* issue: Maxfilesize Comma Crash (osTicket#4340)
* issue: No Save Button On Quicknotes (osTicket#4706)
* issue: PHP 7.2 Ticket Status (osTicket#4758)
* issue: Canned Response Variables (osTicket#4759)
* issue: FAQ Search Results (osTicket#4771)
* issue: FAQ Return Errors (osTicket#4772)
* issue: Duplicate Form Titles (osTicket#4788)
* issue: Organizations Users Sort (osTicket#4806)
* oops: Emojis Strip Korean (osTicket#4823)
* issue: iFrame On Install (osTicket#4824)
* issue: sendAccessLink On NULL (osTicket#4828)
* Update README.md (eccc57a, e5f4180)
* issue: iFrame Single Quotes (osTicket#4844)
* issue: .eml/.msg Attachments (osTicket#4857)

=== Performance and Security
* xss: XSS To LFI Vulnerability (osTicket#4869)
* jquery: Update Again (osTicket#4858)
JoshBeckerPLCH pushed a commit to plch/osTicket that referenced this issue Feb 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants