📄 Description (English)
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
🤖 AI Executive Summary
osTicket versions 1.18.x before 1.18.3 and 1.17.x before 1.17.7 contain an arbitrary file read vulnerability in PDF export functionality. Attackers can craft malicious HTML in ticket submissions to read sensitive files from the server filesystem through mPDF processing. This vulnerability is exploitable in default configurations where guest ticket creation is enabled, posing significant risk to organizations storing confidential data in osTicket systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 4, 2026 00:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi government agencies, municipalities, and public sector organizations using osTicket for citizen service requests face critical risk of data disclosure. Banking sector customer service operations could expose account information, transaction details, and KYC documents. Healthcare providers using osTicket for patient inquiries risk HIPAA-equivalent compliance violations under Saudi healthcare regulations. Telecommunications companies (STC, Mobily, Zain) managing customer support tickets could leak network infrastructure details and customer PII. Energy sector organizations (ARAMCO subsidiaries) could expose operational security information. The vulnerability is particularly dangerous in Saudi context where many government entities use osTicket with public-facing guest ticket creation enabled.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Education
Retail and E-commerce
Insurance
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade osTicket to version 1.18.3 or later (for 1.18.x branch) or 1.17.7 or later (for 1.17.x branch) immediately
2. If immediate patching is not possible, disable guest ticket creation and public ticket status access in osTicket configuration
3. Restrict PDF export functionality to authenticated users only via osTicket admin panel
4. Review audit logs for suspicious PDF export activities, particularly those with unusual file paths in ticket content
PATCHING GUIDANCE:
1. Backup osTicket database and configuration files before patching
2. Download official patches from Enhancesoft security advisories
3. Apply patches in test environment first to verify compatibility
4. Schedule maintenance window for production deployment
5. Verify mPDF library is updated to latest version (minimum 8.1.0)
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to block PDF export requests containing PHP filter expressions or suspicious HTML entities
2. Deploy input validation at application level to sanitize HTML content in ticket submissions
3. Restrict file system permissions for osTicket application user to read-only access on non-critical directories
4. Monitor and log all PDF export operations with detailed request/response logging
5. Implement network segmentation to limit osTicket server access
DETECTION RULES:
1. Monitor for POST requests to /scp/tickets.php?a=export with Content-Type containing 'pdf'
2. Alert on ticket submissions containing 'php://', 'file://', 'data://' URI schemes in HTML content
3. Log and alert on mPDF processing errors related to file access attempts
4. Monitor osTicket application logs for 'filter=' parameters in ticket content
5. Track unusual file access patterns from osTicket process (www-data/apache user)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية osTicket إلى الإصدار 1.18.3 أو أحدث (لفرع 1.18.x) أو 1.17.7 أو أحدث (لفرع 1.17.x) فوراً
2. إذا لم يكن الترقية الفورية ممكنة، قم بتعطيل إنشاء تذاكر الضيوف والوصول العام لحالة التذاكر في إعدادات osTicket
3. تقييد وظيفة تصدير PDF للمستخدمين المصرح لهم فقط عبر لوحة إدارة osTicket
4. مراجعة سجلات التدقيق للأنشطة المريبة لتصدير PDF، خاصة تلك التي تحتوي على مسارات ملفات غير عادية في محتوى التذاكر
إرشادات التصحيح:
1. عمل نسخة احتياطية من قاعدة بيانات osTicket وملفات التكوين قبل التصحيح
2. تحميل التصحيحات الرسمية من مستشاري أمان Enhancesoft
3. تطبيق التصحيحات في بيئة الاختبار أولاً للتحقق من التوافق
4. جدولة نافذة صيانة لنشر الإنتاج
5. التحقق من تحديث مكتبة mPDF إلى أحدث إصدار (الحد الأدنى 8.1.0)
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات تصدير PDF التي تحتوي على تعبيرات مرشحات PHP أو كيانات HTML مريبة
2. نشر التحقق من صحة الإدخال على مستوى التطبيق لتنظيف محتوى HTML في تقديمات التذاكر
3. تقييد أذونات نظام الملفات لمستخدم تطبيق osTicket للوصول للقراءة فقط على الدلائل غير الحرجة
4. مراقبة وتسجيل جميع عمليات تصدير PDF مع تسجيل مفصل للطلب/الاستجابة
5. تنفيذ تقسيم الشبكة لتحديد وصول خادم osTicket
قواعد الكشف:
1. مراقبة طلبات POST إلى /scp/tickets.php?a=export مع Content-Type يحتوي على 'pdf'
2. تنبيه على تقديمات التذاكر التي تحتوي على مخططات URI 'php://' أو 'file://' أو 'data://' في محتوى HTML
3. تسجيل والتنبيه على أخطاء معالجة mPDF المتعلقة بمحاولات الوصول إلى الملفات
4. تتبع معاملات 'filter=' غير العادية في محتوى التذاكر
5. تتبع أنماط الوصول إلى الملفات غير العادية من عملية osTicket (مستخدم www-data/apache)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.8.2.1 - User Endpoint Devices
A.8.3.1 - Information Access Restriction
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
ID.GV-1: Organizational processes to manage cybersecurity risk
PR.IP-1: Security policies and procedures
PR.IP-12: Software, firmware, and information integrity checks
DE.CM-8: Vulnerability scans are performed
RS.MI-2: Incidents are mitigated
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Screening
A.8.1 - User endpoint devices
A.8.3 - Access control
A.12.2 - Restrictions on software installation
A.12.6 - Management of technical vulnerabilities
A.14.2 - Security requirements analysis and specification
🟣 PCI DSS v4.0.1
Requirement 2.2 - Configuration standards for system components
Requirement 6.2 - Security patches and updates
Requirement 6.5 - Injection flaws prevention
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 5
🔗
https://github.com/osTicket/osTicket/commit/c59b067
disclosure@vulncheck.com
Patch
🔗
https://github.com/osTicket/osTicket/releases/tag/v1.17.7
disclosure@vulncheck.com
Release Notes
🔗
https://github.com/osTicket/osTicket/releases/tag/v1.18.3
disclosure@vulncheck.com
Release Notes
🔗
https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters...
disclosure@vulncheck.com
Exploit
🔗
https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 2 entries
enhancesoft:osticket
enhancesoft:osticket