Multiple Vulnerabilities In Kayako eSupport v2.x

To: <bugtraq@xxxxxxxxxxxxxxxxx>, "OSVDB" <moderators@xxxxxxxxx>, "Secunia Research" <vuln@xxxxxxxxxxx>
Subject: Multiple Vulnerabilities In Kayako eSupport v2.x
From: "GulfTech Security" <security@xxxxxxxxxxxx>
Date: Sat, 18 Dec 2004 12:33:00 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcTlMABLI+7VZTybRqOoAMZ50vboQA==

##########################################################
# GulfTech Security Research           December 18th, 2004
##########################################################
# Vendor  : Kayako Web Solutions
# URL     : http://www.kayako.com/
# Version : Kayako eSupport v2.x
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
Kayako eSupport is one of the most feature packed support systems; in this 
tour you will find why over a thousand companies have decided to opt for 
eSupport and use it to process their daily support requests. [As quoted 
from their website]


Cross Site Scripting:
Cross site scripting exists in Kayako eSupport. This vulnerability exists
due to user supplied input not being checked properly. Below is an example.

http://path/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]

This vulnerability could be used to steal cookie based authentication 
credentials within the scope of the current domain, or render hostile code 
in a victim's browser.



SQL Injection: 
Kayako eSupport is prone to SQL Injection in a number of places. Below are 
some examples of url's that could be used to take advantage of these 
vulnerabilities.

http://path/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]
http://path/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no
http://path/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[
SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=

These is also a SQL Injection vulnerability in the "Home > Ticket Status 
> Forgot Key" feature. This can be take advantage of by putting a malicious 
query in the email field. Because of the location of the unchecked variable 
in the query, it makes it easy for an attacker to use these issues to query 
just about any info from the underlying database. It should also be noted
that 
the attacker does not need to be logged in to eSupport



Solution:
The Kayako support team was informed of these vulnerabilities and they
should 
be fixed soon.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00056-12182004



Credits:
James Bercegay of the GulfTech Security Research Team

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.0 - Release Date: 12/17/2004

Prev by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Next by Date: MS Windows Media Player 9 Vulns (2)
Previous by thread: [ GLSA 200412-13 ] Samba: Integer overflow
Next by thread: MS Windows Media Player 9 Vulns (2)
Index(es):
- Date
- Thread