CVE-2017-15580
published 2017-10-23CVE-2017-15580: osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.98%
96.5th percentile
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a .html extension changed to a .exe extension. An attacker can leverage this vulnerability to upload arbitrary files on the web application having malicious content.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osticket | osticket | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor file upload requests to tickets.php where the file extension has been changed from .html to .exe (or other executable types) via intercepted/modified HTTP requests — indicative of client-side bypass. ↗
- →Alert on POST requests to tickets.php containing a reply action where the uploaded file's declared Content-Type is text/html but the filename extension is non-HTML (e.g., .exe, .php, .jsp). ↗
- →Watch for outbound reverse TCP shell connections (e.g., on port 4444) originating from the web server process after a file upload to osTicket, consistent with payload execution. ↗
- ·The bypass relies on client-side validation only — the server accepts any file type regardless of content. Detection must occur at the server/network layer, not the client. ↗
- ·The vulnerability is specific to osTicket version 1.10.1; confirm version before applying detections to avoid false positives on patched instances. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://0day.today/exploits/28864http://nakedsecurity.com/cve/CVE-2017-15580/https://becomepentester.blogspot.com/2017/10/osTicket-File-Upload-Restrictions-Bypassed-CVE-2017-15580.htmlhttps://cxsecurity.com/issue/WLB-2017100187https://packetstormsecurity.com/files/144747/osticket1101-shell.txthttps://www.cyber-security.ro/blog/2017/10/25/osticket-1-10-1-shell-upload/https://www.exploit-db.com/exploits/45169/http://0day.today/exploits/28864http://nakedsecurity.com/cve/CVE-2017-15580/https://becomepentester.blogspot.com/2017/10/osTicket-File-Upload-Restrictions-Bypassed-CVE-2017-15580.htmlhttps://cxsecurity.com/issue/WLB-2017100187https://packetstormsecurity.com/files/144747/osticket1101-shell.txthttps://www.cyber-security.ro/blog/2017/10/25/osticket-1-10-1-shell-upload/https://www.exploit-db.com/exploits/45169/
2017-10-23
Published