[waraxe-2008-SA#063] - Information Leakage in Kayako SupportSuite 3.11.01
========================================================================
=======
Author: Janek Vind "waraxe"
Date: 21. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-63.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Kayako provides online help desk software and support solutions; enabling
companies to improve their support and reduce costs. Our flagship support
product SupportSuite is a robust and flexible turn-key solution, allowing you
to implement effective support channels, e-mail management and manage self-help
resources.
SupportSuite does this by combining ticketed support (web and e-mail based),
live chat and an intuitive customer interface.
Vulnerabilities discovered
========================================================================
=======
1. Information leakage in "syncml/index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Anyone can issue request to "syncml/index.php" and in return "$_SERVER"
superglobal will be dumped out. This can reveal potentially sensitive php/apache
related information, which can be used in further attacking. No authentication
or privileges needed, works with any php settings.
Proof-Of-Concept:
http://localhost/kayako/syncml/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke
and anyone else who know me!
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Homepage: http://www.janekvind.com/
Waraxe forum: http://www.waraxe.us/forums.html
---------------------------------- [ EOF ] --------------------------------