osTicket Arbitrary File Read via PHP Filter Chains in mPDF

This module exploits an arbitrary file read vulnerability in osTicket
(CVE-2026-22200). The vulnerability exists in osTicket's PDF export
functionality which uses mPDF. By injecting a specially crafted HTML payload
containing PHP filter chain URIs into a ticket reply, an attacker can read
arbitrary files from the server when the ticket is exported to PDF.

The PHP filter chain constructs a BMP image header that is prepended to the
target file contents. When mPDF renders the ticket as a PDF, it processes
the php://filter URI, reads the target file, and embeds it as a bitmap image
in the resulting PDF. The module then extracts the file contents from the PDF.

Authentication is required. The module supports both staff panel (/scp/) and
client portal login. An existing ticket number is also required.

Default files extracted are /etc/passwd and include/ost-config.php. The
osTicket config file contains database credentials and the SECRET_SALT value.