osTicket

Overview

Open-source support ticketing system
Written in PHP with MySQL backend
Often exposes company email domains

Discovery

Cookie: OSTSESSID
Footer: "powered by osTicket"
Default path: /support/

Email Domain Exposure

Attack Flow

Create support ticket on osTicket portal
osTicket assigns temporary email: [email protected]
Use this email to register on other services (Slack, GitLab, etc.)
Verification emails appear in osTicket ticket thread

Exploitation

Submit new ticket
Note assigned email (e.g., [email protected])
Use email to register on:
- Slack workspace
- GitLab instance
- Mattermost
- Internal wikis
Check ticket for verification email
Complete registration on target service

CVE-2020-24881 (SSRF)

Affects: osTicket 1.14.1

SSRF vulnerability to access internal resources:

# May allow internal port scanning
# May expose internal services

Credential Reuse

If you obtain leaked credentials (via Dehashed, breaches):

Try credentials on osTicket admin panel
Admin panel typically at /scp/
Look for API keys, integrations, email configs

Important Paths

Path

Description

/scp/

Staff Control Panel (admin)

/api/

API endpoint

/kb/

Knowledge base

/tickets.php

Ticket submission

Post-Access

If admin access obtained:

Check Admin Panel → Emails for SMTP credentials
Check Admin Panel → API Keys for API tokens
Review Admin Panel → Plugins for integrations

PreviousGitLab NextShellshock CGI

Last updated 25 days ago

hashtagOverview

hashtagDiscovery

hashtagEmail Domain Exposure

hashtagAttack Flow

hashtagExploitation

hashtagCVE-2020-24881 (SSRF)

hashtagCredential Reuse

hashtagImportant Paths

hashtagPost-Access