SupportSuite Multiple Vulnerabilities
Vendor: Kayako Infotech Ltd.
Product: SupportSuite
Version: <= 3.20.02
Website: http://www.kayako.com/
BID: 30642
CVE: CVE-2008-3700
OSVDB: 47613 47614 47615 47616
SECUNIA: 31431
PACKETSTORM: 68994
Description:
Kayako SupportSuite is a very popular online eSupport application that consists of several well known Kayako products such as Kayako LiveResponse and Kayako eSupport. Unfortunately there are several security issues in Kayako SupportSuite that may allow for an attacker to gain access to a staff account and then escalate their privileges to administrator. These issues include Cross Site Scripting, Script Injection, and SQL Injection. All of these issues are resolved in Kayako SupportSuite 3.30 and users should upgrade as soon as possible.


Cross Site Scripting
There are a substantial number of Cross Site Scripting issues present in Kayako SupportSuite that may allow for an attacker to steal cookies and gain unauthorized access to accounts.

/visitor/index.php?_m=livesupport&_a=startclientchat&sessionid="%20onload %3dalert(document.cookie)%20style=%3d

/index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3Ealert(document.cookie) %3C/script%3E%3Ca%20href=%22

The above url's are a couple examples the issues in action. Some of the xss issues in SupportSuite require certain conditions, such as the second example. It requires a certain amount of results to be displayed, so that the pagination is present since that's where the issue occurs.

assign\(('|"*)([a-zA-Z0-9_]*)('|"*), \$_(GET|REQUEST|POST|SERVER)

A quick grep of the Kayako SupportSuite codebase for the above regex, which looks for gpc variables assigned directly as a template variable, displays 28 matches in 7 files.


Script Injection:
In addition to the cross site scripting issues explained above are some fairly dangerous script injection issues that can be easily used to take over a staff member's account via cookie theft just by chatting with them. For example if a malicious user creates an account, opens a ticket, or requests a chat with arbitrary script in their "Full Name" field then it will execute successfully in the context of the staff members browser when they get a chat request, print a users ticket, edit comments awaiting approval, or edit the attackers account.

"></script><script>alert(document.cookie);</script><script>

The above example can be inserted in to the Full Name field, and will display cookie information to the affected user whenever one of the previously mentioned actions are taken.


SQL Injection:
There is a fairly serious blind SQL Injection issue in the staff panel that let's a malicious staff user, or attacker who may have for example been able to gain access to a staff account from the previously mentioned vulnerabilities, escalate their access to administrator via password enumeration. The only condition required is that the ticketid must be one that is present, and that the attacker has access to.

/staff/index.php?_m=tickets&_a=ticketactions&action=delcflink&ticketid=1& customfieldlinkid=-99' UNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000, MD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0 FROM ss_staff WHERE staffid=1/*

If an attacker was to visit a url like the one above, he would experience a noticeable delay on the page loading if the first character of the staff user's hash with the id of 1 was a 2. It is stated on the official bug tracker that "This defect was not actually triggerable due to implementation details of a supporting function, but could easily have become active in the future", but in the version tested (3.20) it was very much exploitable. The above url should suffice for anyone wanting to test if their version is vulnerable, just remember to make sure the ticketid parameter is valid.


Solution:
The Kayako development team were fairly prompt in addressing these issues, and fixes for all of the previously mentioned issues can be found in the recently released 3.30 version of Kayako SupportSuite. Users should upgrade as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team