PT-2009-44: Multiple vulnerabilities in Kayako Support Suite

Affected Software

Kayako Support Suite
Version 3.60.04 stable and possibly earlier

Product Link:

Severity Rating

Severity: Medium 
Impact: Medium
Attack Vector: Remote


Base Score: 6.4
Temporal Score: 4.7
Vector: (AV:N/AC:H/Au:M/C:C/I:C/A:P/E:U/RL:O/RC:C)

CVE: not assigned

Software Description

Kayako Support Suite is a HelpDesk system.

Vulnerability Description

Positive Technologies Research Team discovered Local File Inclusion (LFI) vulnerabilities in Kayako Support Suite.

A vulnerable function unset() allows attackers to overwrite an arbitrary global and not overridden variable, which can particularly result in LFI. If a user has write access to the DBMS tables, then he/she can add the necessary field and cause a LFI.


If a table cron contains the following fields:
cronid module name
7 m1 task1

Then an attacker can cause a LFI:
http://site/support/cron/index.php?_t=task1&_MODULES[m1]=[LOCAL INCLUDE]&-1575220259=1


Update to latest version.

Disclosure Timeline

10/12/2009 - Vendor notified
10/13/2009 - Vendor response
10/xx/2009 - The vendor confirmed the vulnerability and issued a workaround decision
10/xx/2009 - Requested status update from vendor
10/xx/2009 - Public disclosure


This vulnerability was discovered by Timur Yunusov (Positive Technologies Research Team).


Complete list of vulnerability reports published by Positive Technologies Research Team: