PT-2009-44: Multiple vulnerabilities in Kayako Support Suite
Affected Software
Kayako Support Suite
Version 3.60.04 stable and possibly earlier
Product Link:
http://www.kayako.com/
Severity Rating
Severity: Medium
Impact: Medium
Attack Vector: Remote
CVSS v2
Base Score: 6.4
Temporal Score: 4.7
Vector: (AV:N/AC:H/Au:M/C:C/I:C/A:P/E:U/RL:O/RC:C)
CVE: not assigned
Software Description
Kayako Support Suite is a HelpDesk system.
Vulnerability Description
Positive Technologies Research Team discovered Local File Inclusion (LFI) vulnerabilities in Kayako Support Suite.
A vulnerable function unset() allows attackers to overwrite an arbitrary global and not overridden variable, which can particularly result in LFI. If a user has write access to the DBMS tables, then he/she can add the necessary field and cause a LFI.
Examples:
If a table cron contains the following fields:
cronid module name
7 m1 task1
Then an attacker can cause a LFI:
http://site/support/cron/index.php?_t=task1&_MODULES[m1]=[LOCAL INCLUDE]&-1575220259=1
Solution
Update to latest version.
Disclosure Timeline
10/12/2009 - Vendor notified
10/13/2009 - Vendor response
10/xx/2009 - The vendor confirmed the vulnerability and issued a workaround decision
10/xx/2009 - Requested status update from vendor
10/xx/2009 - Public disclosure
Credits
This vulnerability was discovered by Timur Yunusov (Positive Technologies Research Team).
References
http://en.securitylab.ru/lab/PT-2009-44
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp