osTicket

Category: Customer Service Management

osTicket is an open-source support ticketing system, integrating queries from various sources (email, phone, web) into a centralized interface. It’s written in PHP with MySQL and can be hosted on Windows or Linux.

Support portals like osTicket can expose email addresses and usernames, aiding social engineering attacks. It’s possible to use these details to access other services within the organization, especially if password reuse or weak policies are in place.

When we come across support portals (especially external), we should test out the functionality and see if we can do things like creating a ticket and having a legitimate company email address assigned to us. From there, we may be able to use the email address to sign in to other company services and gain access to sensitive data.

• Exploitation Techniques:

  • Social Engineering: Users may pose as uninformed to gain insights from support staff.

  • Account Compromise: Unsecured support emails or passwords reset to default standards can be leveraged for unauthorized access.

  • Further OSINT Opportunities: Address books within osTicket and associated email addresses can be targeted in attacks.

• Mitigation Suggestions:

  • Limit external application exposure.

  • Enforce multi-factor authentication on external portals.

  • Strengthen password policies, with forced password changes and prohibitions on weak passwords.

  • Educate staff on security best practices to avoid phishing and password reuse.