[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
- To: bugs@xxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 23 Feb 2013 03:06:29 +0100
Title:
======
Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
Date:
=====
2013-01-22
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=824
ID: SWIFT-3119
URL: http://dev.kayako.com/browse/SWIFT-3119
VL-ID:
=====
824
Common Vulnerability Scoring System:
====================================
4.1
Introduction:
=============
Kayako Fusion is the world`s leading multi-channel helpdesk solution that
enables organizations to deliver a
better customer experience and work more effectively as a team, whatever their
size. Whether over email, support
tickets, self-help, live chat or voice, your customers support history is
tracked in one place and can be
accessed from anywhere. Proven, powerful and accessible support tools without
the expense or rocket science.
(Copy of the Vendor Homepage: http://www.kayako.com/products/fusion/ )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple persistent web
vulnerabilities in the Kayako Fusion v4.51.1891 Application.
Report-Timeline:
================
2013-01-04: Researcher Notification & Coordination
2013-01-22: Public Disclosure
Status:
========
Published
Affected Products:
==================
Kayako
Product: Fusion - CMS 4.51.1891
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple persistent input validation vulnerabilities are detected in the Kayako
Fusion v4.51.1891 Web Application.
The vulnerability typus allows an attacker to inject own malicious script code
in the vulnerable module on application side (persistent).
The first vulnerability is located in the Tickets section when processing to
request via the the `Escalation` module the bound
vulnerable add_tags & remove_tags application parameters. The persistent
injected script code will be executed directly out of
the `add` section when processing to edit the earlier inserted dbms context.
The secound vulnerability is located in the Base section when processing to
request via the `Manage` module the bound vulnerable
`CustomFieldGroup > eMail` application listing. The persistent injected script
code will be executed directly out of the `usergroup`
listing when processing to manage the earlier inserted dbms context.
The third vulnerability is located in the Live-Chat section when processing to
request via the `Manage` module the bound vulnerable
`Visitor Group Title` application listing. The persistent injected script code
will be executed directly out of the `Visitor Group`
listing when processing to manage the earlier inserted dbms context.
The 4th vulnerability is located in the LanguagePhrase section when processing
to request via the `Manage` module the bound vulnerable
`search query` (string) application listing. The persistent injected script
code will be executed directly out of the `Search Query`
listing when processing to manage the earlier inserted dbms context.
The 5th vulnerability is located in the Staff section when processing to
request via the `Manage or Insert` module the bound vulnerable
`staff name or staff group` application parameters. The persistent injected
script code will be executed directly out of the `Staff`- or
`Staff Edit` listing when processing to manage the earlier inserted dbms
context.
The vulnerabilities can be exploited with a privileged application user account
and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent session
hijacking, persistent phishing, external redirect, external malware
loads and persistent vulnerable module context manipulation.
Vulnerable Section(s):
[+] Tickets
[+] Base
[+] Live-Chat
[+] LanguagePhrase
[+] Staff
Vulnerable Module(s):
[+] Escalation/Insert - (Tickets)
[+] CustomFieldGroup/Manage - (Base)
[+] Staff/Insert & /Staff/Edit/1 - (Base)
[+] StaffGroup/Insert - (Base)
[+] LiveChat/Group/Manage - (Live-Chat)
[+] Manage/0 - Search - (LanguagePhrase)
Vulnerable Parameter(s):
[+] Add tags & remove tags
[+] eMail User - Listing (Profile All Sections)
[+] Visitor Group Title & Group Color
[+] Search Query
Proof of Concept:
=================
The persistent inut validation vulnerabilities can be exploited by restricted
low or medium privileged application user account with low
required user interaction. For demonstration or reproduce ...
Review: Add tags & remove tags
<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top"
width="50%"><span class="tabletitle">Add Tags</span>
</td><td class="tablerow1" align="left" valign="top"><div
class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF URL
(http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_taginput.gif)
NO-REPEAT 4px 5px;"><ul class="swifttextautocomplete"
jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_addtags"><li
class="swifttextautocompleteinputcontainer swifttextautocompleteitem"
tagid="><[PERSISTENT INJECTED SCRIPT CODE!] <><[PERSISTENT INJECTED SCRIPT
CODE!] <<div class="swifttextautocompleteitemclose">
<img
src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_tagx.gif"
align="absmiddle" border="0" /></div><input type="hidden"
name="containertaginput_addtags[]" value="><[PERSISTENT INJECTED SCRIPT CODE!]
<" ></[PERSISTENT INJECTED SCRIPT CODE!]></li>
<li class="swifttextautocompleteinputcontainer"><input
class="swifttextautocompleteinput ac_input" name="taginput_addtags"
id="taginput_addtags" value="Start typing to insert tags..." autocomplete="off"
size="30" type="text"></li></ul></div><script type="text/javascript">
if (window.$UIObject) { window.$UIObject.Queue(function(){
UITagControl('addtags', '') }); }</script></td></tr>
<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top"
width="50%"><span class="tabletitle">Remove Tags</span></td>
<td class="tablerow1" align="left" valign="top"><div
class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF URL
(http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_taginput.gif)
NO-REPEAT 4px 5px;"><ul class="swifttextautocomplete"
jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_removetags"><li
class="swifttextautocompleteinputcontainer swifttextautocompleteitem"
tagid="><[PERSISTENT INJECTED SCRIPT CODE!]<<div=""
class="swifttextautocompleteitemclose">
<img
src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_tagx.gif"
align="absmiddle" border="0" /></div><input type="hidden"
name="containertaginput_removetags[]" value="><[PERSISTENT INJECTED SCRIPT
CODE!]></li><li class="swifttextautocompleteinputcontainer">
<input class="swifttextautocompleteinput ac_input" name="taginput_removetags"
id="taginput_removetags" value="Start typing to insert tags..."
autocomplete="off" size="30" type="text"></li></ul></div><script
type="text/javascript">if (window.$UIObject) { window.$UIObject.Queue(function()
{ UITagControl('removetags', '') }); }</script></td></tr>
</tbody>
Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Tickets/Escalation/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage
Review: Staff/Insert & /Staff/Edit/1 & StaffGroup/Insert
<tbody><tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top"
width="50%">​​​​​
<span class="tabletitle">Group Title</span></td>
<td class="tablerow1" align="left" valign="top"><input autocomplete="OFF"
class="swifttext"
name="title" id="title"
value="<[PERSISTENT INJECTED SCRIPT CODE!]") <" size="30" type="text">
</td></tr>
<tr class="tablerow1_tr">
<td class="tablerow1" align="left" valign="top" width="50%"><span
class="tabletitle">Group Type</span><br><span class="tabledescription">
Custom fields must belong to a <b>custom field group</b>, which is further
bound to an area of the product, such as ticket creation, live chat,
user, user group etc.</span></td><td class="tablerow1" align="left"
valign="top"><span class="tabledescription">User</span></td></tr>
<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top"
width="50%"><span class="tabletitle">Visibility</span><br>
<span class="tabledescription">Specify the custom field group visibility,
private groups are not visible to users within the client support
center.</span></td><td class="tablerow1" align="left" valign="top"><label
for="publicvisibilitytype"><input autocomplete="OFF" name="visibilitytype"
class="swiftradio" id="publicvisibilitytype" value="1" checked="" type="radio">
Public</label>
<label for="privatevisibilitytype">
<input autocomplete="OFF" name="visibilitytype" id="privatevisibilitytype"
value="0" type="radio"> Private</label>
</td></tr>
<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top"
width="50%"><span class="tabletitle">
Display Order</span><br>
<span class="tabledescription">If there are multiple groups within an area,
they are sorted using the display order (ascending) specified here.
</span></td><td class="tablerow1" align="left"
valign="top">​​​​​<input autocomplete="OFF"
class="swifttextnumeric" name="displayorder" id="displayorder" value="1"
size="10" type="text">
</td></tr>
</tbody>
Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Base/Staff/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/StaffGroup/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/Staff/Edit/1
Review: CustomFieldGroup
<tbody><tr>
<td colspan="2" id="staffnavbar" valign="top">
<div id="cpmenu" style="height: 100%;"><div style="display: none;"
id="customnavhtmlcontainer"></div><div id="" class="dialogcontainer">
<div class="dialogok"></div><div class="dialogokcontainer"><div
class="dialogtitle">Inserted Custom Field Group "
<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT
CODE!]") <"</div><div class="dialogtext">
Successfully inserted custom field group "<b><[PERSISTENT INJECTED SCRIPT
CODE!]") <</b>" into the
database.<br><b>Title:</b> <[PERSISTENT INJECTED SCRIPT CODE!]")
<<br><b>Type:</b> User<br><b>Display Order:</b>
1<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT
CODE!]") <</div></div></div>
<div id="gridcontentcustomfieldgroupgrid"><form
name="form_customfieldgroupgrid" id="form_customfieldgroupgrid"
action="http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage//"
method="post" onsubmit="javascript: return false;">
<input autocomplete="OFF" name="csrfhash"
value="z2hvplh1kar0dm8rzvwmln0ilddeunsc" type="hidden"><div id="widthwrapper"
style="width: 100%;">
<div id="gridtoolbar"><div class="gridtoolbarnew" id="gridextendedtoolbar"><div
class="gridtoolbarsub">
<ul><li><a
href="http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Insert"
viewport="1"><img src="Manage-Dateien/icon_addplus.gif"
align="absmiddle" border="0"> New</a></li></ul></div></div>
Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage
Review: Live-Chat - Visitor Group Title
<div id="" class="dialogcontainer"><div class="dialogok"></div><div
class="dialogokcontainer"><div class="dialogtitle">
Inserted Visitor Group "<[PERSISTENT INJECTED SCRIPT
CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <"</div>
... or
div class="ui-dialog-titlebar ui-widget-header ui-corner-all
ui-helper-clearfix"><span id="ui-dialog-title-window_editgroup"
class="ui-dialog-title"><img
src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_window.gif"
align="absmiddle"
border="0"> Edit Visitor Group: <[PERSISTENT INJECTED SCRIPT
CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
<[PERSISTENT INJECTED SCRIPT CODE!]></span>
Reference(s):
http://rem0ve.137.0.0.1:8080/admin/LiveChat/Group/Manage
Risk:
=====
The security risk of the persistent input validation web vulnerabilities are
estimated as medium(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx
- research@xxxxxxxxxxxxxxxxxxxxx
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability
Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx