PT-2009-41: Multiple vulnerabilities in Kayako Support Suite

Vulnerable Software

Kayako Support Suite
Version 3.60.04 stable and possibly earlier

Link:
http://www.kayako.com/

Security Level

Security Level:          Low
Impact:                        Installation Path Disclosure
Attack Vector:          Remote

CVSS v2:
Base Score:     6.4
Temporal Score: 5
Vector:         (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:P/RL:O/RC:C)

CVE:   not assigned

Software Description

Kayako Support Suite is a HelpDesk system.

Vulnerability Description

Positive Technologies Research Team discovered several Installation Path Disclosure vulnerabilities in Kayako Support Suite.

The application uses a vulnerable PHP function unserialize(), which allows an attacker to disclose the product installation path.
In addition, there is no validation of variable types, which also allows an attacker to disclose the installation path.
Furthermore, the function trigger_error() is called, which results in the installation path disclosure, too.

Examples:

COOKIE: a%3A1073741823%3A%7Bi%3A0%3Bs%3A30%3A%22aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%22%7D
http://site/support/index.php?_m[]=news&_a=view
http://site/support/includes/functions_captcha.php

Solution

Update your software up to the latest version (3.70.01).

Bulletin Status

10/12/2009 - Vendor notified
10/13/2009 - Vendor response
01/26/2010 - The vendor confirmed the vulnerability and issued a workaround decision
03/12/2010 - Requested status update from vendor
04/08/2010 - Public disclosure

Acknowledgements

This vulnerability was discovered by Timur Yunusov (Positive Technologies Research Team)

References

http://en.securitylab.ru/lab/PT-2009-41
http://www.ptsecurity.ru/advisory.asp

Reports on the vulnerabilities previously discovered by Positive Technologies Research Team:

http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp

 

Threatscape