Ask not what osTicket community can do for you - ask what you can do for osTicket community

Go Back   osTicket Forums > Project Tools > osTicket Security Advisory > SVA
Reload this Page osTicket SVA-2008-301 - Cross Site Scripting
Register Projects FAQ Members List Calendar Search Today's Posts Mark Forums Read

Issue Type SVA   Project osTicket Security Advisory
osTicket SVA-2008-301 - Cross Site Scripting
Issue Tools
osTicket security vulnerability advisory
Category Unknown
Affected Version 1.6 rc3
Priority 3
Status fixed
Fixed Version 1.6 rc4
Users able to reproduce vulnerability 1
Submitted 03-17-2008
Attachments 0
Users unable to reproduce vulnerability 0
Assigned Users (none) Tags (none)

issueid=71 03-17-2008 05:36 AM
Developer
osTicket SVA-2008-301 - Cross Site Scripting
osTicket security vulnerability advisory
osTicket prior to v1.6 RC4 fails to properly handle or/and escape user inputs prior to being displayed on tickets list/view pages, allowing a remote user to potentially inject arbitrary HTML and/or script code and possibly cause a remote denial of service attack. Format.striptags function used to clean inputs, fails to handle special cases of unclosed tags.

The security risk is moderately critical and for this reason we strongly recommend upgrading to the latest version (osTicket v1.6 RC4) as soon as possible. If you are unable to upgrade immediately, you should patch your current installation until you are able to do a complete upgrade.

To temporarily patch osTicket v1.6 RC1-RC3 do the following

* In class.format.php
chage

PHP Code:
    function striptags($string) {
        $search = array("'<script[^>]*?>.*?</script>'si""'<[/!]*?[^<>]*?>'si");
        return preg_replace($search,array("",""), html_entity_decode($string)); //Decode incoming string before stripping tags
    
to
PHP Code:
    function striptags($string) {
        return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!
    
change
PHP Code:
    function display($text) {
        global $cfg;

        if($cfg && $cfg->clickableURLS() && $text)
            $text=Format::clickableurls($text);

        return nl2br($text);
    } 
to
PHP Code:
    //Format text for display..
    function display($text) {
        global $cfg;

        $text=Format::htmlchars($text); //take care of html special chars
        if($cfg && $cfg->clickableURLS() && $text)
            $text=Format::clickableurls($text);

        return nl2br($text);
    } 
Note: Full upgrade is strongly advised.

For more information and reference, please see http://www.securityfocus.com/bid/28144/

To contact osTicket developers regarding security related issues, please use the form at http://osticket.com/support/contact.php
Reply

01-06-2009 09:01 PM
Junior Member
  
I have upgraded
Thank you
Reply
01-24-2009 07:41 AM
Junior Member
  
Hi,

I have installed and using Osticket 1.6.rc4. I've been looking for if there is a security issue remaining for this version. Than I found this message and read. Then I started to look that this issue on internet. Then I found this article that says the issue about cross site scripting remaining on version 1.6 and the date which it was written 3 March 2008 same with the version 1.6.rc4 appeared on downloads page.

So could you make a reply that a security issue remaning on version 1.6 or not. This is crucial for me that I want to use this software seriously.

Thanks...
Reply
01-24-2009 07:42 AM
Junior Member
  
Hi,

I have installed and using Osticket 1.6.rc4. I've been looking for if there is a security issue remaining for this version. Than I found this message and read.

http://www.digitrustgroup.com/adviso...-osticket.html

Then I started to look that this issue on internet. Then I found this article that says the issue about cross site scripting remaining on version 1.6 and the date which it was written 3 March 2008 same with the version 1.6.rc4 appeared on downloads page.

So could you make a reply that a security issue remaning on version 1.6 or not. This is crucial for me that I want to use this software seriously.

Thanks...
Reply
01-30-2009 10:26 PM
Senior Member
  
Quote:
Originally Posted by cagdas
Then I started to look that this issue on internet. Then I found this article that says the issue about cross site scripting remaining on version 1.6 and the date which it was written 3 March 2008 same with the version 1.6.rc4 appeared on downloads page.

So could you make a reply that a security issue remaning on version 1.6 or not. This is crucial for me that I want to use this software seriously.

Thanks...
They must of just took longer to post it. That issue is fixed in RC4. The subject variable goes through the same sanitizing as the other variables before being inserted in the database.

PHP Code:
subject='.db_input(Format::striptags($var['subject'])). 
Reply

Issue Tools
Subscribe to this issue

All times are GMT -4. The time now is 07:34 PM.

Contact Us - osTicket Community Forums - Archive - Top