Kayako ESupport 2.3 Index.PHP Multiple Parameter Cross-Site Scripting Vulnerability

2005-03-22T00:00:00
ID EDB-ID:25257
Type exploitdb
Reporter James Bercegay
Modified 2005-03-22T00:00:00

Description

Kayako ESupport 2.3 Index.PHP Multiple Parameter Cross-Site Scripting Vulnerability. CVE-2005-0842. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/12868/info

Kayako ESupport is prone to a cross-site scripting vulnerability.

Multiple parameters of the 'index.php' script can be exploited to pass malicious HTML and script code to the application.

This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.

ESupport 2.3 is reported vulnerable, however, it is possible that other versions are affected as well. 

http://www.example.com/index.php?_a=knowledgebase&_j=questiondetails&_i=[INT][XSS]

http://www.example.com/index.php?_a=knowledgebase&_j=questionprint&_i=[INT][XSS]

http://www.example.com/index.php?_a=troubleshooter&_c=[INT][XSS]

http://www.example.com/index.php?_a=knowledgebase&_j=subcat&_i=[INT][XSS]

where [INT] is a valid integer value.