Multiple Vulnerabilities In Kayako eSupport v2.x
##########################################################
# GulfTech Security Research December 18th, 2004
##########################################################
# Vendor : Kayako Web Solutions
# URL : http://www.kayako.com/
# Version : Kayako eSupport v2.x
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Kayako eSupport is one of the most feature packed support systems; in this
tour you will find why over a thousand companies have decided to opt for
eSupport and use it to process their daily support requests. [As quoted
from their website]
Cross Site Scripting:
Cross site scripting exists in Kayako eSupport. This vulnerability exists
due to user supplied input not being checked properly. Below is an example.
http://path/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]
This vulnerability could be used to steal cookie based authentication
credentials within the scope of the current domain, or render hostile code
in a victim's browser.
SQL Injection:
Kayako eSupport is prone to SQL Injection in a number of places. Below are
some examples of url's that could be used to take advantage of these
vulnerabilities.
http://path/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]
http://path/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no
http://path/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[
SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=
These is also a SQL Injection vulnerability in the "Home > Ticket Status
> Forgot Key" feature. This can be take advantage of by putting a malicious
query in the email field. Because of the location of the unchecked variable
in the query, it makes it easy for an attacker to use these issues to query
just about any info from the underlying database. It should also be noted
that
the attacker does not need to be logged in to eSupport
Solution:
The Kayako support team was informed of these vulnerabilities and they
should
be fixed soon.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00056-12182004
Credits:
James Bercegay of the GulfTech Security Research Team
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.0 - Release Date: 12/17/2004