eSupport Multiple Vulnerabilities
Vendor: Kayako Web Solutions
Product: eSupport
Version: <= 2.3
Website: http://www.kayako.com/
BID: 12037
CVE: CVE-2004-1412
OSVDB: 12513 12514 12515
SECUNIA: 13563
PACKETSTORM: 35414
Description:
Kayako eSupport is one of the most feature packed support systems; in this tour you will find why over a thousand companies have decided to opt for eSupport and use it to process their daily support requests. [As quoted from their website]


Cross Site Scripting:
Cross site scripting exists in Kayako eSupport. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://path/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


SQL Injection Vulnerabilities:
Kayako eSupport is prone to SQL Injection in a number of places. Below are some examples of url's that could be used to take advantage of these vulnerabilities.

http://path/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]
http://path/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no
http://path/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=

These is also a SQL Injection vulnerability in the "Home > Ticket Status > Forgot Key" feature. This can be take advantage of by putting a malicious query in the email field. Because of the location of the unchecked variable in the query, it makes it easy for an attacker to use these issues to query just about any info from the underlying database.


Solution:
The Kayako support team was informed of these vulnerabilities and they have been fixed in Kayako eSupport v2.3.1


Credits:
James Bercegay of the GulfTech Security Research Team