What's the plan to address reported security issues?

iragrollman · **What's the plan to address reported security issues? -** 27-02-2007, 04:42 AM

http://www.frsirt.com/english/advisories/2007/0717

Multiple vulnerabilities have been identified in Kayako eSupport, which could be exploited by attackers to execute arbitrary scripting code. These issues are due to input validation errors in various modules (e.g. "tickets") when processing malformed parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

The version they tested against is Kayako eSupport version 3.04.10

supportskins · 27-02-2007, 10:00 AM

Has anyone reported this to Kayako?

caitlyntw · 06-03-2007, 07:42 AM

I don't think this is a very important issue to them. Several people have reported this, directly to them, on the forum and on the bugtracker.

Olate · 06-03-2007, 09:20 AM

XSS issues were fixed in the latest stable build 3.10.02 which probably addresses the problems noted in this advisory.

anand · **xss vulnerabilities -** 04-06-2007, 06:49 PM

I am using the 3.10.02 version of supportsuite and have found xss vulnerabilities in several places. Have raised a support ticket with example on how to exploit one such vulnerability.

Let me see what response does kayako give.

**Jamie Edwards** · 04-06-2007, 06:51 PM

Hi anand,

Can I please have your ticket ID(s)?

Thanks,

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

supportskins Offline Senior Member Posts: 3,536 Join Date: Aug 2006 Location: Mumbai, India	27-02-2007, 10:00 AM Has anyone reported this to Kayako? Professional and Affordable Kayako Skins - Specialists in Kayako Skinning & Customization - Professional Paid Support Our Skins and Services - http://www.supportskins.com/store/ SupportSkins.com - http://www.supportskins.com/

caitlyntw Offline Member Posts: 99 Join Date: Jul 2006	06-03-2007, 07:42 AM I don't think this is a very important issue to them. Several people have reported this, directly to them, on the forum and on the bugtracker.

Olate Offline Member Posts: 53 Join Date: Sep 2003 Location: England, UK	06-03-2007, 09:20 AM XSS issues were fixed in the latest stable build 3.10.02 which probably addresses the problems noted in this advisory. David Mytton - Olate Ltd - 15% ionCube Discount or 15% Zend Guard Discount - Simple PHP Bug/Issue Tracking - UK Dedicated Servers (managed and unmanaged)

anand Offline New Member Posts: 1 Join Date: Jun 2007	xss vulnerabilities - 04-06-2007, 06:49 PM I am using the 3.10.02 version of supportsuite and have found xss vulnerabilities in several places. Have raised a support ticket with example on how to exploit one such vulnerability. Let me see what response does kayako give.