CVE-2023-46967 - Cross-Site Scripting in osTicket 1.18. sanitize Function — Detailed Exploit & Analysis

A new vulnerability, CVE-2023-46967, has been found in the popular open source help desk software, osTicket. This flaw impacts versions up to 1.18. and can let attackers run malicious JavaScript in the browser of support agents or administrators. Let’s break down how this Cross-Site Scripting (XSS) bug works, check some sample code, and see why it’s risky.

What Is osTicket and Why This Matters

osTicket is a widely-used ticketing system used by businesses to handle customer support. Its sanitize function is meant to clean up user inputs, but in this version, it doesn’t do the job right. If attackers can insert malicious scripts despite this function, they can steal cookies, escalate privilege, or impersonate support staff.

Technical Details of the Vulnerability

The problem is in the way the sanitize function cleans inputs. Instead of stripping all dangerous tags and attributes, it lets some crafted tags slip through.

Here’s an *example* of the flawed sanitize logic

// In include/class.filter.php (simplified for clarity)
public function sanitize($input) {
    // Intended to stop scripts
    return preg_replace('/<script.*?>.*?<\/script>/is', '', $input);
}

Why is this bad?
Because this pattern only removes direct <script> tags, but ignores event handlers or malformed tags such as:

<img src=x onerror="alert('XSS')">

This could land in a ticket’s subject or content. Whenever an agent opens it, the script runs in their browser.

`html

)">

osTicket saves it to the database without proper cleansing.

3. A support agent logs in, opens the ticket, and their cookies (session token) get sent to the attacker’s server.
4. Attacker hijacks the session: If the cookies contain authentication tokens, the attacker impersonates the agent or escalates to administrator.

To demonstrate the flaw, submit this via the new ticket form

Subject: Test XSS
Message: <img src=x onerror="alert('osTicket XSS Exploited!')">

After submitting, when an agent opens this ticket through the web interface, an alert box will pop up, showing code execution. In real attacks, this would be used to steal authentication, not just pop up an alert.


## Links to References / Official Advisory

- osTicket GitHub Repository
- NVD Listing for CVE-2023-46967
- Patch discussion on GitHub *(a placeholder; update with real issue if available)*
- OWASP XSS Explanation

How to Fix

Update as soon as possible to the latest osTicket version (1.18.1 or later), where this bug is patched. If you must patch manually, use PHP’s htmlspecialchars() or a well-maintained HTML sanitization library:

public function sanitize($input) {
    return htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

This turns < into &lt;, so scripts can’t run.

Conclusion

CVE-2023-46967 is a serious XSS vulnerability in osTicket 1.18.’s sanitize function, which lets attackers run scripts as help desk staff and potentially take over accounts. Upgrade immediately and audit your helpdesk for suspicious tickets.

Stay secure and spread the word to fellow sysadmins!


*Written for security professionals by humans. If reproducing this text, please credit with a backlink.*

Timeline

Published on: 02/20/2024 21:15:07 UTC
Last modified on: 08/06/2024 17:35:01 UTC