PT-2011-02: PHP code Injection in Kayako Support Suite

Vulnerable software

Kayako Support Suite
Version: 3.70.02-stable and earlier

Application link:

Severity level

Severity level: High
Impact: Arbitrary PHP code execution
Access Vector: Network exploitable

CVSS v2:
Base Score: 6.5
Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE: not assigned

Software description

Kayako Support Suite is a HelpDesk system.

Vulnerability description

Positive Research Center has discovered PHP code injection vulnerability in Kayako Support Suite.

Application insufficiently verifies incoming data received via template editing form.
An attacker with administration privileges can inject arbitrary PHP code via template editing feature with an expression like: <<??arbitary_php_code??>>
Here is an example of URL script used for template editing:
The code is executed as user reqests from the page with modified template.

How to fix

Update your software up to the v4

Advisory status

25.11.2011 - Vendor is notified
25.11.2011 - Vendor gets vulnerability details
25.08.2011 - Vendor releases fixed version and details
29.12.2011 - Public disclosure


The vulnerability was discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: