[waraxe-2008-SA#063] - Information Leakage in Kayako SupportSuite 3.11.01

========================================================================
=======

Author: Janek Vind "waraxe"

Date: 21. January 2008

Location: Estonia, Tartu

Web: http://www.waraxe.us/advisory-63.html

Target software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Kayako provides online help desk software and support solutions; enabling

companies to improve their support and reduce costs. Our flagship support

product SupportSuite is a robust and flexible turn-key solution, allowing you

to implement effective support channels, e-mail management and manage self-help

resources.

SupportSuite does this by combining ticketed support (web and e-mail based),

live chat and an intuitive customer interface.

Vulnerabilities discovered

========================================================================
=======

1. Information leakage in "syncml/index.php"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Anyone can issue request to "syncml/index.php" and in return "$_SERVER"

superglobal will be dumped out. This can reveal potentially sensitive php/apache

related information, which can be used in further attacking. No authentication

or privileges needed, works with any php settings.

Proof-Of-Concept:

http://localhost/kayako/syncml/

Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke

and anyone else who know me!

Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~

come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

Homepage: http://www.janekvind.com/

Waraxe forum:  http://www.waraxe.us/forums.html

---------------------------------- [ EOF ] --------------------------------