by r0t,der4444,cembo,VietMafia

Friday, December 30, 2005

Kayako SupportSuite multiple vuln.

Kayako SupportSuite multiple vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.kayako.com/supportsuite.php
affected version: v3.00.26 and prior

Product Description:

Kayako SupportSuite offers true integrated Multi-Channel solution allowing you to manage your emails, online issues, chats, self service and issues received by phone. The entire system has been designed to improve productivity and provide seamless integration between all the available modules. With rich AJAX based interface and unmatched features like IRS, VoIP, ViewShare you can be assured that your client issues are not only handled in a timely but efficient manner.


Vuln. Description:

Kayako SupportSuite contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "nav" paremter in "index.php" and field "Full Name","Email" "Subject" "Registered Email" paramters in "regsiter" "submit" "lostpassword" modules isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


POC:


/index.php?_m=downloads&_a=view&
parentcategoryid=3&pcid=1&nav=[XSS]


FOR POC Manulally enter:
''[XSS]

in

/index.php?_m=core&_a=register

Full Name:
Email:

/index.php?_m=tickets&_a=submit

Full Name:
Email:
Subject:

/index.php?_m=core&_a=lostpassword

Registered Email:


+

Attacker can view full install. path ,this flaw exists cauz input to "_a","newsid","downloaditemid","kbarticleid" parameters isn't properly sanitised before being returned to the user.

/index.php?_m=news&_a=[FULL PATH]

/index.php?_m=news&_a=viewnews&newsid=[FULL PATH]

/index.php?_m=downloads&_a=downloadfile&downloa
ditemid=[FULL PATH]

/index.php?_m=knowledgebase&_a=viewarticle&kbart
icleid=[FULL PATH]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew