eSupport v2.3.1 Stable Released - (XSS Vulnerability Fix)

***Varun Shoor***

Kayako eSupport XSS Vulnerability
==============================

A Security Vulnerability has been discovered in all eSupport versions prior to v2.3. The vulnerability allows a person to execute a Javascript on clients computer to retreive the ticket key. This vulnerability can be exploited only if the client opens a URL posted by the attacker.

Please download the build from Members Area only after you see v2.3.1 as version number. The files are still being committed as we are sending this announcement. If you have any questions please email support AT kayako.com, You can also directly contact me at varun AT kayako.com or over IM (Details listed in Profile). We would like to thank James from GulfTech for discovering these vulnerabilities.

Upgrading from v2.3 to v2.3.1 Stable
=============================================
* IMPORTANT! Backup BOTH your Database (mysqldump) and your Files before proceeding.
* Replace all your existing files with the new ones in upload_zend/upload_ioncube directory
* REMOVE admin/setup.php
* Make sure BOTH your config.php AND key.php are in admin/ directory after you have replaced the files

Upgrading from v2.2.5 to v2.3.1 Stable
=============================================
* IMPORTANT! Backup BOTH your Database (mysqldump) and your Files before proceeding.
* Replace all your existing files with the new ones in upload_zend/upload_ioncube directory
* REMOVE admin/setup.php
* Make sure BOTH your config.php AND key.php are in admin/ directory after you have replaced the files

Upgrading from v2.2 to v2.3.1 Stable
=============================================
* IMPORTANT! Backup BOTH your Database (mysqldump) and your Files before proceeding.
* Replace all your existing files with the new ones in upload_zend/upload_ioncube directory
* REMOVE admin/setup.php
* Make sure BOTH your config.php AND key.php are in admin/ directory after you have replaced the files
* Upload the file "upgrade_v2.2_to_v2.3.php" from your upgrade/ directory over to admin/ directory and run it from your web browser
* Follow the steps, it should finish without any issues.
* Delete "upgrade_v2.2_to_v2.3.php" from your admin/ directory

Upgrading from v2.1.x to v2.3.1 Stable
=============================================
* IMPORTANT! Backup BOTH your Database (mysqldump) and your Files before proceeding.
* Replace all your existing files with the new ones in upload_zend/upload_ioncube directory
* REMOVE admin/setup.php
* Make sure BOTH your config.php AND key.php are in admin/ directory after you have replaced the files
* Upload the file "upgrade_v2.1.x_to_v2.3.php" from your upgrade/ directory over to admin/ directory and run it from your web browser
* Follow the steps, it should finish without any issues.
* Delete "upgrade_v1.x_to_v2.3.php" from your admin/ directory

***Varun Shoor*** · 26-12-2004, 04:25 AM

This version also fixes the issues with PHP 4.3.10

Regards,

Varun Shoor

Neil-UKWSD · 08-02-2005, 02:12 PM

If you are using WinZip to extract the files please ensure you enable "TAR file smart CR/LF conversion" under Options > Configurations > Miscellaneous in WinZip before hand.

Also remember to CHMOD pop3pipe.php and autoclose.php to CHMOD 755 so they can be executed by cron.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Critical Kayako eSupport Vulnerability	Varun Shoor	News and Announcements	0	16-05-2005 06:02 AM
eSupport v2.2 Stable Released	Varun Shoor	News and Announcements	3	23-06-2004 11:39 PM
eSupport v2.2 RC2 Released	Varun Shoor	Technical Chat	1	11-06-2004 10:24 PM
eSupport v2.2 RC1 Available in Members Area	Varun Shoor	Technical Chat	1	17-05-2004 01:28 PM
eSupport v2.1.6 and InstaAlert Released!	Varun Shoor	News and Announcements	5	11-10-2003 06:48 AM