Search
Home

imei Addmimistrator’s BugBlog

imei’s security Advisories and researches

« Olate Download 3.4.2 ~ userupload.php ~ Upload Executable Files

SupportSuite 3.11.01~ Multiple file ~ PHP SELF XSS

——-Summary——
Software: SupportSuite
Sowtware’s Web Site: http://www.kayako.com
Versions: 3.00.32
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: imei Addmimistrator
Risk Level: Medium
——Description—–
Supportsuite , a great product of kayako, Ideal for providing ticket based support, is prone to XSS attack in multiple internal files.{more than 300 files}

Use of unsafe variable PHP_SELF in so many files of supprtsuite, makes this program vulnerable against XSS attacks. The bug is in result of using PHP_SELF variable that is unsafe in many version of PHP inside of parameter used in function trigger_error().
Product has an “Anti Full path disclosure” approach come here:

if (!defined(”INSWIFT”)) {
trigger_error(”Unable to process $PHP_SELF“, E_USER_ERROR);
}
As it’s obvious, It has a weakness against XSS.

files-have-weakness-against-xss-in-supportsuite.txt

PS:
I have no idea how many times should I tell developers and how much time should I wait before publishing bug. As much as I could tell them, they didn’t pay attention even e bit. As a matter of fact they sounds they don’t like to provide security for their users for some reasons I do not know. BugReport in kayako site marked “Not a bug / Deferre” located here You have to login to read topic.

——-Exploit——–
http://127.0.0.1/SupportSuite/upload/includes/LoginShare/
modernbill.login.php/%3Cscript%3Ealert(1)%3C/script%3E
——Conditions——-
PHP < = 5.2.1 (Tell me if I’m wrong!?)
——-Solution——-
No Solution is available.
——–Credit——–
Discovered by: imei addmimistrator
 addmimistrator(4}gmail(O}com
www.myimei.com

Posted by imei on Thursday, December 6th, 2007 at 2:04 pm.

3 Responses to “SupportSuite 3.11.01~ Multiple file ~ PHP SELF XSS”

    http://www.securityfocus.com/bid/26744

    Left by imei on December 14th, 2007

    —————————————————–
    if (!defined(”INSWIFT”)) {
    trigger_error(”Unable to process $PHP_SELF“, E_USER_ERROR);
    }
    As it’s obvious, It has a weakness against XSS.
    —————————————————–

    What a valuable information Imei!

    Something so simple could be avoided using __FILE__ instead of the cheater $PHP_SELF when unsanitized.

    if (!defined(”INSWIFT”)) {
    trigger_error(”Unable to process “. __FILE__ , E_USER_ERROR);
    }

    Left by liowarez on December 17th, 2007

    Yes. __FILE__ and so many other approaches are there to avoid such a simple mistake. But you have no idea how long I waited and kyako.com did not pay any attention to my reports!
    Also there is another bug in supportsuite which I will public soon.

    Left by imei on December 18th, 2007

Something to say?

You must be logged in to post a comment.