[waraxe-2008-SA#063] - Information Leakage in Kayako SupportSuite 3.11.01 ======================================================================== ======= Author: Janek Vind "waraxe" Date: 21. January 2008 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-63.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Kayako provides online help desk software and support solutions; enabling companies to improve their support and reduce costs. Our flagship support product SupportSuite is a robust and flexible turn-key solution, allowing you to implement effective support channels, e-mail management and manage self-help resources. SupportSuite does this by combining ticketed support (web and e-mail based), live chat and an intuitive customer interface. Vulnerabilities discovered ======================================================================== ======= 1. Information leakage in "syncml/index.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Anyone can issue request to "syncml/index.php" and in return "$_SERVER" superglobal will be dumped out. This can reveal potentially sensitive php/apache related information, which can be used in further attacking. No authentication or privileges needed, works with any php settings. Proof-Of-Concept: http://localhost/kayako/syncml/ Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~ Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke and anyone else who know me! Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ come2waraxe (at) yahoo (dot) com [email concealed] Janek Vind "waraxe" Homepage: http://www.janekvind.com/ Waraxe forum: http://www.waraxe.us/forums.html ---------------------------------- [ EOF ] --------------------------------