by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

Kayako SupportSuite v3.00.x Full path Disclosure

Kayako SupportSuite v3.00.x Full path Disclosure .

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:kayako.com
affected vesion:v3.00.12 and prior

Vuln. Description:

Due invalid input parameters or not enough parameters, which may be exploited by attackers to determine the installation path.
See in examples:

/index.php?_m=troubleshooter&_a=
/index.php?_m=troubleshooter&_a=steps&troubleshootercatid=
/index.php?_m=downloads&_a=viewdownload&downloaditemid=
/index.php?_m=downloads&_a=
/index.php?_m=knowledgebase&_a=
/index.php?_m=tickets&_a=
/index.php?_m=news&_a=
/index.php?_m=news&_a=viewnews&newsid=

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew