##########################################################
# GulfTech Security Research              August 09, 2008
##########################################################
# Vendor : Kayako Infotech Ltd.
# URL : http://www.kayako.com/
# Version : Kayako SupportSuite < 3.30.00
# Risk : Multiple Vulnerabilities
##########################################################


Description:
Kayako SupportSuite is a very popular online eSupport
application that consists of several well known Kayako
products such as Kayako LiveResponse and Kayako eSupport.
Unfortunately there are several security issues in Kayako
SupportSuite that may allow for an attacker to gain access
to a staff account and then escalate their privileges to
administrator. These issues include Cross Site Scripting,
Script Injection, and SQL Injection. All of these issues
are resolved in Kayako SupportSuite 3.30 and users should
upgrade as soon as possible.



Cross Site Scripting:
There are a substantial number of Cross Site Scripting
issues present in Kayako SupportSuite that may allow for
an attacker to steal cookies and gain unauthorized access
to accounts.

/visitor/index.php?_m=livesupport&_a=startclientchat&sessionid="%20onload%3dalert(document.cookie)%20style=%3d

/index.php?_m=news&_a=view&filter=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Ca%20href=%22

The above url's are a couple examples the issues in action.
Some of the xss issues in SupportSuite require certain
conditions, such as the second example. It requires a certain
amount of results to be displayed, so that the pagination is
present since that's where the issue occurs.

assign\(('|"*)([a-zA-Z0-9_]*)('|"*), \$_(GET|REQUEST|POST|SERVER)

A quick grep of the Kayako SupportSuite codebase for the
above regex, which looks for gpc variables assigned directly
as a template variable, displays 28 matches in 7 files.



Script Injection:
In addition to the cross site scripting issues explained above
are some fairly dangerous script injection issues that can be
easily used to take over a staff member's account via cookie
theft just by chatting with them. For example if a malicious
user creates an account, opens a ticket, or requests a chat with
arbitrary script in their "Full Name" field then it will execute
successfully in the context of the staff members browser when they
get a chat request, print a users ticket, edit comments awaiting
approval, or edit the attackers account.

"></script><script>alert(document.cookie);</script><script>

The above example can be inserted in to the Full Name field, and
will display cookie information to the affected user whenever one
of the previously mentioned actions are taken.



SQL Injection:
There is a fairly serious blind SQL Injection issue in the staff
panel that let's a malicious staff user, or attacker who may have
for example been able to gain access to a staff account from the
previously mentioned vulnerabilities, escalate their access to
administrator via password enumeration. The only condition required
is that the ticketid must be one that is present, and that the
attacker has access to.

/staff/index.php?_m=tickets&_a=ticketactions&action=delcflink&ticketid=1&customfieldlinkid=-99' 
UNION SELECT IF(SUBSTRING(password,1, 1) = CHAR(50), BENCHMARK(1000000, 
MD5(CHAR(1))), null),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM 
ss_staff WHERE staffid=1/*

If an attacker was to visit a url like the one above, he would
experience a noticeable delay on the page loading if the first
character of the staff user's hash with the id of 1 was a 2. It is
stated on the official bug tracker that "This defect was not actually
triggerable due to implementation details of a supporting function,
but could easily have become active in the future", but in the version
tested (3.20) it was very much exploitable. The above url should
suffice for anyone wanting to test if their version is vulnerable,
just remember to make sure the ticketid parameter is valid.



Solution:
The Kayako development team were fairly prompt in addressing these
issues, and fixes for all of the previously mentioned issues can be
found in the recently released 3.30 version of Kayako SupportSuite.
Users should upgrade as soon as possible.



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00123-08092008