Directory traversal vulnerability in osTicket 1.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to module.php, a different vector than CVE-2005-1439. NOTE: this issue has been disputed by a reliable third party
osTicket 1.6 is vulnerable to a directory traversal attack, allowing attackers to read sensitive files on the server. This vulnerability, exploitable through the module.php script, could lead to data breaches and compromise of the system's integrity. The issue's impact is potentially mitigated by a third-party dispute, but should still be assessed.
Step 1: Payload Delivery: The attacker crafts a malicious URL targeting module.php with a crafted file parameter. This parameter includes ../ sequences to navigate up the directory tree.
Step 2: Request Processing: The web server receives the malicious request and forwards it to module.php.
Step 3: Path Manipulation: The module.php script processes the file parameter, potentially constructing a file path based on the user-supplied input.
Step 4: File Access: Due to the lack of proper input validation, the script uses the manipulated path to access a file on the server. The attacker can specify any file the web server user has read permissions to.
Step 5: Information Disclosure: The contents of the requested file are returned to the attacker, leading to information disclosure.
The vulnerability stems from insufficient input validation in the module.php script when handling the file parameter. Specifically, the script fails to properly sanitize or restrict the path provided in the file parameter. This allows an attacker to inject ../ sequences, effectively traversing the directory structure and accessing files outside the intended scope. The root cause is a lack of proper path traversal prevention, such as input validation and sanitization, or the use of a secure file access mechanism that restricts file access to a specific directory.