 |
SupportSuite, eSupport and LiveResponse Discussion, troubleshooting and feedback related to Kayako's flagship support desk products SupportSuite, eSupport and LiveResponse.
 |
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
| ||||||||||||
|
|
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
(#1)
  |
| New Member Posts: 7 Join Date: Oct 2007 |  Kayako SupportSuite < 3.30.00 Multiple Vulnerabilities -
11-08-2008, 04:39 PM
Just read this article over at SecurityFocus.com: SecurityFocus And original article here: GulfTech Research And Development ---- ################################################## ######## # GulfTech Security Research August 09, 2008 ################################################## ######## # Vendor : Kayako Infotech Ltd. # URL : Help Desk Software, Customer Service Software, Customer Support Software # Version : Kayako SupportSuite < 3.30.00 # Risk : Multiple Vulnerabilities ################################################## ######## Description: Kayako SupportSuite is a very popular online eSupport application that consists of several well known Kayako products such as Kayako LiveResponse and Kayako eSupport. Unfortunately there are several security issues in Kayako SupportSuite that may allow for an attacker to gain access to a staff account and then escalate their privileges to administrator. These issues include Cross Site Scripting, Script Injection, and SQL Injection. All of these issues are resolved in Kayako SupportSuite 3.30 and users should upgrade as soon as possible. Cross Site Scripting: There are a substantial number of Cross Site Scripting issues present in Kayako SupportSuite that may allow for an attacker to steal cookies and gain unauthorized access to accounts. /visitor/index.php?_m=livesupport&_a=startclientchat&sessio nid="%20onloa d%3dalert(document.cookie)%20style=%3d /index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3 Ealert(document.cooki e)%3C/script%3E%3Ca%20href=%22 The above url's are a couple examples the issues in action. Some of the xss issues in SupportSuite require certain conditions, such as the second example. It requires a certain amount of results to be displayed, so that the pagination is present since that's where the issue occurs. assign\(('|"*)([a-zA-Z0-9_]*)('|"*), \$_(GET|REQUEST|POST|SERVER) A quick grep of the Kayako SupportSuite codebase for the above regex, which looks for gpc variables assigned directly as a template variable, displays 28 matches in 7 files. Script Injection: In addition to the cross site scripting issues explained above are some fairly dangerous script injection issues that can be easily used to take over a staff member's account via cookie theft just by chatting with them. For example if a malicious user creates an account, opens a ticket, or requests a chat with arbitrary script in their "Full Name" field then it will execute successfully in the context of the staff members browser when they get a chat request, print a users ticket, edit comments awaiting approval, or edit the attackers account. "></script><script>alert(document.cookie);</script><script> The above example can be inserted in to the Full Name field, and will display cookie information to the affected user whenever one of the previously mentioned actions are taken. SQL Injection: There is a fairly serious blind SQL Injection issue in the staff panel that let's a malicious staff user, or attacker who may have for example been able to gain access to a staff account from the previously mentioned vulnerabilities, escalate their access to administrator via password enumeration. The only condition required is that the ticketid must be one that is present, and that the attacker has access to. /staff/index.php?_m=tickets&_a=ticketactions&action=delcf link&ticketid=1 &customfieldlinkid=-99' UNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000, MD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM ss_staff WHERE staffid=1/* If an attacker was to visit a url like the one above, he would experience a noticeable delay on the page loading if the first character of the staff user's hash with the id of 1 was a 2. It is stated on the official bug tracker that "This defect was not actually triggerable due to implementation details of a supporting function, but could easily have become active in the future", but in the version tested (3.20) it was very much exploitable. The above url should suffice for anyone wanting to test if their version is vulnerable, just remember to make sure the ticketid parameter is valid. Solution: The Kayako development team were fairly prompt in addressing these issues, and fixes for all of the previously mentioned issues can be found in the recently released 3.30 version of Kayako SupportSuite. Users should upgrade as soon as possible. Credits: James Bercegay of the GulfTech Security Research Team Related Info: The original advisory can be found at the following location GulfTech Research And Development ---- |
| |  |
|
(#2)
|
| Operations Manager  Posts: 5,420 Join Date: Jan 2006 Location: United Kingdom |
11-08-2008, 04:43 PM
Hi there, As the article reports, these issues have already been fixed in the latest builds available to customers. We will provide patches for those not wishing to upgrade to 3.30.00 shortly. -------------------------------------------------------------------
|
| | |
|
| Tags |
| <, supportsuite, vulnerabilities |
| Thread Tools | Search this Thread |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Kayako App - SupportSuite | jaigupta | Comments, Questions & Feedback | 0 | 26-05-2008 03:49 PM |
| HOWTO: Making Spell Check work in Kayako SupportSuite | sboyce | How do I? | 1 | 26-02-2008 11:00 PM |
Linear Mode
