kayako.txt

2004-12-30T00:00:00
ID PACKETSTORM:35414
Type packetstorm
Reporter James Bercegay
Modified 2004-12-30T00:00:00

Description

                                        
                                            `##########################################################  
# GulfTech Security Research December 18th, 2004  
##########################################################  
# Vendor : Kayako Web Solutions  
# URL : http://www.kayako.com/  
# Version : Kayako eSupport v2.x  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
Kayako eSupport is one of the most feature packed support systems; in this   
tour you will find why over a thousand companies have decided to opt for   
eSupport and use it to process their daily support requests. [As quoted   
from their website]  
  
  
Cross Site Scripting:  
Cross site scripting exists in Kayako eSupport. This vulnerability exists  
due to user supplied input not being checked properly. Below is an example.  
  
http://path/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]  
  
This vulnerability could be used to steal cookie based authentication   
credentials within the scope of the current domain, or render hostile code   
in a victim's browser.  
  
  
  
SQL Injection:   
Kayako eSupport is prone to SQL Injection in a number of places. Below are   
some examples of url's that could be used to take advantage of these   
vulnerabilities.  
  
http://path/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]  
http://path/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no  
http://path/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]  
http://path/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[  
SQL]  
http://path/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=  
  
These is also a SQL Injection vulnerability in the "Home > Ticket Status   
> Forgot Key" feature. This can be take advantage of by putting a malicious   
query in the email field. Because of the location of the unchecked variable   
in the query, it makes it easy for an attacker to use these issues to query   
just about any info from the underlying database. It should also be noted  
that   
the attacker does not need to be logged in to eSupport  
  
  
  
Solution:  
The Kayako support team was informed of these vulnerabilities and they  
should   
be fixed soon.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00056-12182004  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
--   
No virus found in this outgoing message.  
Checked by AVG Anti-Virus.  
Version: 7.0.296 / Virus Database: 265.6.0 - Release Date: 12/17/2004  
  
  
`