kayakoBad.txt

2005-08-05T00:00:00
ID PACKETSTORM:39020
Type packetstorm
Reporter James Bercegay
Modified 2005-08-05T00:00:00

Description

                                        
                                            `##########################################################  
# GulfTech Security Research July 30th, 2005  
##########################################################  
# Vendor : Kayako Web Solutions  
# URL : http://www.kayako.com/  
# Version : Kayako liveResponse v2.x  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
Kayako liveResponse is a web based application aimed at providing live  
support for websites and businesses. There are a number of vulnerabilities  
in Kayako liveResponse that range from Cross Site Request Forgeries, Cross  
Site Scripting, Information Disclosure, Script Injection, and SQL Injection  
vulnerabilities which can lead to disclosure of sensitive data. Users are  
suggested to update as soon as a secured version becomes available.  
  
  
  
Cross Site Scripting:  
Cross site scripting exists in Kayako liveResponse. This vulnerability   
exists  
due to user supplied input not being checked properly. Below is an example.  
  
http://host/index.php?username="><script>alert(document.cookie)</script>  
  
This vulnerability could be used to steal cookie based authentication  
credentials within the scope of the current domain, or render hostile code  
in a victim's browser.  
  
  
  
SQL Injection:  
Kayako liveResponse is prone to SQL Injection in a number of places   
within the  
calendar feature Below are some examples of url's that could be used to   
take  
advantage of these vulnerabilities.  
  
http://host/index.php?date=22&month=3&year=2005%20UNION%20SELECT%200,0,0,0,0,0,  
username,pass%20FROM%20lrUsers%20WHERE%201/*&_g=2&_a=panel&_m=cal  
  
http://host/index.php?date=22%20UNION%20SELECT%200,0,0,0,0,0,username,pass%20  
FROM%20lrUsers%20WHERE%201/*&month=3&year=2005&_g=2&_a=panel&_m=cal  
  
These issues can be used to read arbitrary contents of the database such as  
usernames and password hashes.  
  
  
  
Script Injection Vulnerability:  
When entering a session or sending the support staff a message, a   
malicious user  
may input script or html in the place of their name and have it executed   
in the  
context of the browser of a victim. This could be used to execute   
malicious client  
side code, or can be used in combination with csrf issues, amongst other   
things.  
This issue can also result in a Denial Of Service of sorts. If an   
attacker sends a  
message to the support staff with some junk code, it will render the   
form to manage  
messages useless and the victim will have to remove the faulty message   
manually via  
the database.  
  
  
  
Plaintext Password Disclosure:  
When logging in and directly starting a session liveResponse will send   
you to a  
url that may look something similar to this.  
  
http://host/index.php?_a=staffsession&_m=start&login=1&username=admin&password=james  
  
As we see, the admin password is in plain text and can be retrieved very   
easily  
locally, and can possibly be retrieved remotely. It is never a good idea   
to send,  
receive, or execute sensitive actions via the GET method as specified in   
RFC 2616  
Section 9.1.1 entitled "Safe Methods".  
  
  
  
  
Path Disclosre:  
You can disclose the full physical path of the liveResponse installation   
by requesting  
any number of include scripts directly.  
  
http://host/addressbook.php  
  
Above is just one of MANY examples. While this may not be a real   
security issue in itself,  
it definitely helps an attacker gather all the info he can about your   
webserver.  
  
  
  
Solution:  
The lead Kayako developers were informed of these issues back in March   
2005 which is  
more than four months ago. The developers asked for three months to fix   
the issues, but  
it has been much longer than that, and as far as I know there has been   
no security  
announcement or official update from the Kayako developers.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00092-07302005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
`