Open ISES Tickets TLS Certificate Verification Vulnerability in Google Maps API Integration

A vulnerability exists in Open ISES Tickets versions prior to 3.44.2, where TLS certificate verification is disabled in 'ajax/reports.php' during Google Maps Directions API lookups for incident reports. This is achieved by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST, allowing an attacker on the network path to intercept, monitor, or modify the request and response. This includes any API keys or session data in transit.

Impact

Exploitation of this vulnerability allows for interception and modification of HTTPS traffic between the server and the Google Maps Directions API, including any sensitive data such as API keys or session information.

Reproduction

To reproduce this vulnerability, generate an incident report in Open ISES Tickets versions prior to 3.44.2. During the report generation, the application will make an outbound HTTPS request to the Google Maps Directions API without verifying the TLS certificate. This can be done by manually editing the 'ajax/reports.php' file to disable certificate verification and then observing the intercepted traffic with a tool like Burp Suite or Wireshark.

Remediation

Users are advised to upgrade to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.