Thursday September 18, 2008
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Mambo Multiple Vulnerabilities
  3 XMB Forums Multiple Vulnerabilities
  4 MySQL Eventum Multiple Vulnerabilities
  5 Geeklog Remote Code Execution
  6 Gallery 2 Multiple Vulnerabilities
  7 Multiple Invision Power Board Vulnerabilities
  8 Kayako LiveResponse Multiple Vulnerabilities
  9 phpRPC Library Remote Code Execution
10 RunCMS Multiple Vulnerabilities
Need Secure Web Apps?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Research Services About Contact
Kayako LiveResponse Multiple Vulnerabilities
July 30, 2005
Vendor : Kayako Web Solutions
URL : http://www.kayako.com/
Version : Kayako liveResponse v2.x
Risk : Multiple Vulnerabilities


Description:
Kayako liveResponse is a web based application aimed at providing live support for websites and businesses. There are a number of vulnerabilities in Kayako liveResponse that range from Cross Site Request Forgeries, Cross Site Scripting, Information Disclosure, Script Injection, and SQL Injection vulnerabilities which can lead to disclosure of sensitive data. Users are suggested to update as soon as a secured version becomes available.


Cross Site Scripting:
Cross site scripting exists in Kayako liveResponse. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://host/index.php?username="><script>alert(document.cookie)</script>

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


SQL Injection:
Kayako liveResponse is prone to SQL Injection in a number of places within the calendar feature Below are some examples of url's that could be used to take advantage of these vulnerabilities.

http://host/index.php?date=22&month;=3&year;=2005%20UNION%20SELECT%200,0,0,0,0,0,
username,pass%20FROM%20lrUsers%20WHERE%201/*&_g=2&_a=panel&_m=cal

http://host/index.php?date=22%20UNION%20SELECT%200,0,0,0,0,0,username,pass%20
FROM%20lrUsers%20WHERE%201/*&month;=3&year;=2005&_g=2&_a=panel&_m=cal

These issues can be used to read arbitrary contents of the database such as usernames and password hashes.


Script Injection Vulnerability:
When entering a session or sending the support staff a message, a malicious user may input script or html in the place of their name and have it executed in the context of the browser of a victim. This could be used to execute malicious client side code, or can be used in combination with csrf issues, amongst other things. This issue can also result in a Denial Of Service of sorts. If an attacker sends a message to the support staff with some junk code, it will render the form to manage messages useless and the victim will have to remove the faulty message manually via the database.


Plaintext Password Disclosure:
When logging in and directly starting a session liveResponse will send you to a url that may look something similar to this.

http://host/index.php?_a=staffsession&_m=start&login;=1&username;=admin&password;=james

As we see, the admin password is in plain text and can be retrieved very easily locally, and can possibly be retrieved remotely. It is never a good idea to send, receive, or execute sensitive actions via the GET method as specified in RFC 2616 Section 9.1.1 entitled "Safe Methods".


Path Disclosure:
You can disclose the full physical path of the liveResponse installation by requesting any number of include scripts directly.

http://host/addressbook.php

Above is just one of MANY examples. While this may not be a real security issue in itself, it definitely helps an attacker gather all the info he can about your webserver.


Solution:
The lead Kayako developers were informed of these issues back in March 2005 which is more than four months ago. The developers asked for three months to fix the issues, but it has been much longer than that, and as far as I know there has been no security announcement or official update from the Kayako developers.


Credits:
James Bercegay of the GulfTech Security Research Team