Search...

kayako-sqlxss.txt

2008-08-13T00:00:00

ID PACKETSTORM:68994
Type packetstorm
Reporter James Bercegay
Modified 2008-08-13T00:00:00

Description

                                        
                                            `##########################################################  
# GulfTech Security Research August 09, 2008  
##########################################################  
# Vendor : Kayako Infotech Ltd.  
# URL : http://www.kayako.com/  
# Version : Kayako SupportSuite &lt; 3.30.00  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
Description:  
Kayako SupportSuite is a very popular online eSupport  
application that consists of several well known Kayako  
products such as Kayako LiveResponse and Kayako eSupport.  
Unfortunately there are several security issues in Kayako  
SupportSuite that may allow for an attacker to gain access  
to a staff account and then escalate their privileges to  
administrator. These issues include Cross Site Scripting,  
Script Injection, and SQL Injection. All of these issues  
are resolved in Kayako SupportSuite 3.30 and users should  
upgrade as soon as possible.  
  
  
  
Cross Site Scripting:  
There are a substantial number of Cross Site Scripting  
issues present in Kayako SupportSuite that may allow for  
an attacker to steal cookies and gain unauthorized access  
to accounts.  
  
/visitor/index.php?_m=livesupport&_a=startclientchat&sessionid="%20onload%3dalert(document.cookie)%20style=%3d  
  
/index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Ca%20href=%22  
  
The above url's are a couple examples the issues in action.  
Some of the xss issues in SupportSuite require certain  
conditions, such as the second example. It requires a certain  
amount of results to be displayed, so that the pagination is  
present since that's where the issue occurs.  
  
assign\(('|"*)([a-zA-Z0-9_]*)('|"*), \$_(GET|REQUEST|POST|SERVER)  
  
A quick grep of the Kayako SupportSuite codebase for the  
above regex, which looks for gpc variables assigned directly  
as a template variable, displays 28 matches in 7 files.  
  
  
  
Script Injection:  
In addition to the cross site scripting issues explained above  
are some fairly dangerous script injection issues that can be  
easily used to take over a staff member's account via cookie  
theft just by chatting with them. For example if a malicious  
user creates an account, opens a ticket, or requests a chat with  
arbitrary script in their "Full Name" field then it will execute  
successfully in the context of the staff members browser when they  
get a chat request, print a users ticket, edit comments awaiting  
approval, or edit the attackers account.  
  
"&gt;&lt;/script&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;&lt;script&gt;  
  
The above example can be inserted in to the Full Name field, and  
will display cookie information to the affected user whenever one  
of the previously mentioned actions are taken.  
  
  
  
SQL Injection:  
There is a fairly serious blind SQL Injection issue in the staff  
panel that let's a malicious staff user, or attacker who may have  
for example been able to gain access to a staff account from the  
previously mentioned vulnerabilities, escalate their access to  
administrator via password enumeration. The only condition required  
is that the ticketid must be one that is present, and that the  
attacker has access to.  
  
/staff/index.php?_m=tickets&_a=ticketactions&action=delcflink&ticketid=1&customfieldlinkid=-99'   
UNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000,   
MD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM   
ss_staff WHERE staffid=1/*  
  
If an attacker was to visit a url like the one above, he would  
experience a noticeable delay on the page loading if the first  
character of the staff user's hash with the id of 1 was a 2. It is  
stated on the official bug tracker that "This defect was not actually  
triggerable due to implementation details of a supporting function,  
but could easily have become active in the future", but in the version  
tested (3.20) it was very much exploitable. The above url should  
suffice for anyone wanting to test if their version is vulnerable,  
just remember to make sure the ticketid parameter is valid.  
  
  
  
Solution:  
The Kayako development team were fairly prompt in addressing these  
issues, and fixes for all of the previously mentioned issues can be  
found in the recently released 3.30 version of Kayako SupportSuite.  
Users should upgrade as soon as possible.  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00123-08092008  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/68994/kayako-sqlxss.txt", "sourceData": "`########################################################## \n# GulfTech Security Research August 09, 2008 \n########################################################## \n# Vendor : Kayako Infotech Ltd. \n# URL : http://www.kayako.com/ \n# Version : Kayako SupportSuite < 3.30.00 \n# Risk : Multiple Vulnerabilities \n########################################################## \n \n \nDescription: \nKayako SupportSuite is a very popular online eSupport \napplication that consists of several well known Kayako \nproducts such as Kayako LiveResponse and Kayako eSupport. \nUnfortunately there are several security issues in Kayako \nSupportSuite that may allow for an attacker to gain access \nto a staff account and then escalate their privileges to \nadministrator. These issues include Cross Site Scripting, \nScript Injection, and SQL Injection. All of these issues \nare resolved in Kayako SupportSuite 3.30 and users should \nupgrade as soon as possible. \n \n \n \nCross Site Scripting: \nThere are a substantial number of Cross Site Scripting \nissues present in Kayako SupportSuite that may allow for \nan attacker to steal cookies and gain unauthorized access \nto accounts. \n \n/visitor/index.php?_m=livesupport&_a=startclientchat&sessionid=\"%20onload%3dalert(document.cookie)%20style=%3d \n \n/index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Ca%20href=%22 \n \nThe above url's are a couple examples the issues in action. \nSome of the xss issues in SupportSuite require certain \nconditions, such as the second example. It requires a certain \namount of results to be displayed, so that the pagination is \npresent since that's where the issue occurs. \n \nassign\\(('|\"*)([a-zA-Z0-9_]*)('|\"*), \\$_(GET|REQUEST|POST|SERVER) \n \nA quick grep of the Kayako SupportSuite codebase for the \nabove regex, which looks for gpc variables assigned directly \nas a template variable, displays 28 matches in 7 files. \n \n \n \nScript Injection: \nIn addition to the cross site scripting issues explained above \nare some fairly dangerous script injection issues that can be \neasily used to take over a staff member's account via cookie \ntheft just by chatting with them. For example if a malicious \nuser creates an account, opens a ticket, or requests a chat with \narbitrary script in their \"Full Name\" field then it will execute \nsuccessfully in the context of the staff members browser when they \nget a chat request, print a users ticket, edit comments awaiting \napproval, or edit the attackers account. \n \n\"></script><script>alert(document.cookie);</script><script> \n \nThe above example can be inserted in to the Full Name field, and \nwill display cookie information to the affected user whenever one \nof the previously mentioned actions are taken. \n \n \n \nSQL Injection: \nThere is a fairly serious blind SQL Injection issue in the staff \npanel that let's a malicious staff user, or attacker who may have \nfor example been able to gain access to a staff account from the \npreviously mentioned vulnerabilities, escalate their access to \nadministrator via password enumeration. The only condition required \nis that the ticketid must be one that is present, and that the \nattacker has access to. \n \n/staff/index.php?_m=tickets&_a=ticketactions&action=delcflink&ticketid=1&customfieldlinkid=-99' \nUNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000, \nMD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM \nss_staff WHERE staffid=1/* \n \nIf an attacker was to visit a url like the one above, he would \nexperience a noticeable delay on the page loading if the first \ncharacter of the staff user's hash with the id of 1 was a 2. It is \nstated on the official bug tracker that \"This defect was not actually \ntriggerable due to implementation details of a supporting function, \nbut could easily have become active in the future\", but in the version \ntested (3.20) it was very much exploitable. The above url should \nsuffice for anyone wanting to test if their version is vulnerable, \njust remember to make sure the ticketid parameter is valid. \n \n \n \nSolution: \nThe Kayako development team were fairly prompt in addressing these \nissues, and fixes for all of the previously mentioned issues can be \nfound in the recently released 3.30 version of Kayako SupportSuite. \nUsers should upgrade as soon as possible. \n \n \n \nCredits: \nJames Bercegay of the GulfTech Security Research Team \n \n \n \nRelated Info: \nThe original advisory can be found at the following location \nhttp://www.gulftech.org/?node=research&article_id=00123-08092008 \n`\n", "edition": 1, "references": [], "modified": "2008-08-13T00:00:00", "hash": "604d48cff3c3b189c550a1b6675a18a55efec7f420d58542bf20c0aac12e37d6", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/68994/kayako-sqlxss.txt.html", "description": "", "id": "PACKETSTORM:68994", "reporter": "James Bercegay", "lastseen": "2016-11-03T10:17:30", "published": "2008-08-13T00:00:00", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:17:30", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:30", "rev": 2}, "vulnersScore": -0.3}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "kayako-sqlxss.txt", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "327869eba7532d4af4804a3fdd8445ea", "key": "href"}, {"hash": "a005fa67b5901bebb130ee5d4fdd9d17", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "a005fa67b5901bebb130ee5d4fdd9d17", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8f35361887f9ff9d9663f8e58093b0d3", "key": "reporter"}, {"hash": "7e10ff69173a0325c66119e72297a0dd", "key": "sourceData"}, {"hash": "18acc6778e018f875edc1a45cdd109e1", "key": "sourceHref"}, {"hash": "0f3ce9b3fc9dd5b034ceb75df58b42bf", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}