kayako-sqlxss.txt

`##########################################################  
# GulfTech Security Research August 09, 2008  
##########################################################  
# Vendor : Kayako Infotech Ltd.  
# URL : http://www.kayako.com/  
# Version : Kayako SupportSuite < 3.30.00  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
Description:  
Kayako SupportSuite is a very popular online eSupport  
application that consists of several well known Kayako  
products such as Kayako LiveResponse and Kayako eSupport.  
Unfortunately there are several security issues in Kayako  
SupportSuite that may allow for an attacker to gain access  
to a staff account and then escalate their privileges to  
administrator. These issues include Cross Site Scripting,  
Script Injection, and SQL Injection. All of these issues  
are resolved in Kayako SupportSuite 3.30 and users should  
upgrade as soon as possible.  
  
  
  
Cross Site Scripting:  
There are a substantial number of Cross Site Scripting  
issues present in Kayako SupportSuite that may allow for  
an attacker to steal cookies and gain unauthorized access  
to accounts.  
  
/visitor/index.php?_m=livesupport&_a=startclientchat&sessionid="%20onload%3dalert(document.cookie)%20style=%3d  
  
/index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Ca%20href=%22  
  
The above url's are a couple examples the issues in action.  
Some of the xss issues in SupportSuite require certain  
conditions, such as the second example. It requires a certain  
amount of results to be displayed, so that the pagination is  
present since that's where the issue occurs.  
  
assign\(('|"*)([a-zA-Z0-9_]*)('|"*), \$_(GET|REQUEST|POST|SERVER)  
  
A quick grep of the Kayako SupportSuite codebase for the  
above regex, which looks for gpc variables assigned directly  
as a template variable, displays 28 matches in 7 files.  
  
  
  
Script Injection:  
In addition to the cross site scripting issues explained above  
are some fairly dangerous script injection issues that can be  
easily used to take over a staff member's account via cookie  
theft just by chatting with them. For example if a malicious  
user creates an account, opens a ticket, or requests a chat with  
arbitrary script in their "Full Name" field then it will execute  
successfully in the context of the staff members browser when they  
get a chat request, print a users ticket, edit comments awaiting  
approval, or edit the attackers account.  
  
"></script><script>alert(document.cookie);</script><script>  
  
The above example can be inserted in to the Full Name field, and  
will display cookie information to the affected user whenever one  
of the previously mentioned actions are taken.  
  
  
  
SQL Injection:  
There is a fairly serious blind SQL Injection issue in the staff  
panel that let's a malicious staff user, or attacker who may have  
for example been able to gain access to a staff account from the  
previously mentioned vulnerabilities, escalate their access to  
administrator via password enumeration. The only condition required  
is that the ticketid must be one that is present, and that the  
attacker has access to.  
  
/staff/index.php?_m=tickets&_a=ticketactions&action=delcflink&ticketid=1&customfieldlinkid=-99'   
UNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000,   
MD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM   
ss_staff WHERE staffid=1/*  
  
If an attacker was to visit a url like the one above, he would  
experience a noticeable delay on the page loading if the first  
character of the staff user's hash with the id of 1 was a 2. It is  
stated on the official bug tracker that "This defect was not actually  
triggerable due to implementation details of a supporting function,  
but could easily have become active in the future", but in the version  
tested (3.20) it was very much exploitable. The above url should  
suffice for anyone wanting to test if their version is vulnerable,  
just remember to make sure the ticketid parameter is valid.  
  
  
  
Solution:  
The Kayako development team were fairly prompt in addressing these  
issues, and fixes for all of the previously mentioned issues can be  
found in the recently released 3.30 version of Kayako SupportSuite.  
Users should upgrade as soon as possible.  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00123-08092008  
`