PT-2009-41: Multiple vulnerabilities in Kayako Support Suite
Kayako Support Suite
Version 3.60.04 stable and possibly earlier
Security Level: Low
Impact: Installation Path Disclosure
Attack Vector: Remote
Base Score: 6.4
Temporal Score: 5
CVE: not assigned
Kayako Support Suite is a HelpDesk system.
Positive Technologies Research Team discovered several Installation Path Disclosure vulnerabilities in Kayako Support Suite.
The application uses a vulnerable PHP function unserialize(), which allows an attacker to disclose the product installation path.
In addition, there is no validation of variable types, which also allows an attacker to disclose the installation path.
Furthermore, the function trigger_error() is called, which results in the installation path disclosure, too.
Update your software up to the latest version (3.70.01).
10/12/2009 - Vendor notified
10/13/2009 - Vendor response
01/26/2010 - The vendor confirmed the vulnerability and issued a workaround decision
03/12/2010 - Requested status update from vendor
04/08/2010 - Public disclosure
This vulnerability was discovered by Timur Yunusov (Positive Technologies Research Team)
Reports on the vulnerabilities previously discovered by Positive Technologies Research Team: