('binary' encoding is not supported, stored as-is)
[waraxe-2008-SA#063] - Information Leakage in Kayako SupportSuite 3.11.01
===============================================================================
Author: Janek Vind "waraxe"
Date: 21. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-63.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kayako provides online help desk software and support solutions; enabling
companies to improve their support and reduce costs. Our flagship support
product SupportSuite is a robust and flexible turn-key solution, allowing you
to implement effective support channels, e-mail management and manage self-help
resources.
SupportSuite does this by combining ticketed support (web and e-mail based),
live chat and an intuitive customer interface.
Vulnerabilities discovered
===============================================================================
1. Information leakage in "syncml/index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Anyone can issue request to "syncml/index.php" and in return "$_SERVER"
superglobal will be dumped out. This can reveal potentially sensitive php/apache
related information, which can be used in further attacking. No authentication
or privileges needed, works with any php settings.
Proof-Of-Concept:
http://localhost/kayako/syncml/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke
and anyone else who know me!
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe_at_yahoo.com
Janek Vind "waraxe"
Homepage: http://www.janekvind.com/
Waraxe forum: http://www.waraxe.us/forums.html
---------------------------------- [ EOF ] --------------------------------
Received on Jan 21 2008
Intro
