Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Sat, 23 Feb 2013 03:06:29 +0100
Title:
======
Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities


Date:
=====
2013-01-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=824

ID:   SWIFT-3119
URL: http://dev.kayako.com/browse/SWIFT-3119


VL-ID:
=====
824


Common Vulnerability Scoring System:
====================================
4.1


Introduction:
=============
Kayako Fusion is the world`s leading multi-channel helpdesk solution that enables organizations to deliver a 
better customer experience and work more effectively as a team, whatever their size. Whether over email, support 
tickets, self-help, live chat or voice, your customers support history is tracked in one place and can be 
accessed from anywhere. Proven, powerful and accessible support tools without the expense or rocket science.

(Copy of the Vendor Homepage: http://www.kayako.com/products/fusion/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Kayako Fusion 
v4.51.1891 Application.


Report-Timeline:
================
2013-01-04:     Researcher Notification & Coordination
2013-01-22:     Public Disclosure


Status:
========
Published


Affected Products:
==================
Kayako
Product: Fusion - CMS 4.51.1891


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple persistent input validation vulnerabilities are detected in the Kayako Fusion v4.51.1891 Web Application.
The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application 
side (persistent).

The first vulnerability is located in the Tickets section when processing to request via the the `Escalation` module 
the bound 
vulnerable add_tags & remove_tags application parameters. The persistent injected script code will be executed directly 
out of 
the `add` section when processing to edit  the earlier inserted dbms context.

The secound vulnerability is located in the Base section when processing to request via the `Manage` module the bound 
vulnerable 
`CustomFieldGroup > eMail` application listing. The persistent injected script code will be executed directly out of 
the `usergroup` 
listing when processing to manage the earlier inserted dbms context.

The third vulnerability is located in the Live-Chat section when processing to request via the `Manage` module the 
bound vulnerable 
`Visitor Group Title` application listing. The persistent injected script code will be executed directly out of the 
`Visitor Group` 
listing when processing to manage the earlier inserted dbms context.

The 4th vulnerability is located in the LanguagePhrase section when processing to request via the `Manage` module the 
bound vulnerable 
`search query` (string) application listing. The persistent injected script code will be executed directly out of the 
`Search Query` 
listing when processing to manage the earlier inserted dbms context.

The 5th vulnerability is located in the Staff section when processing to request via the `Manage or Insert` module the 
bound vulnerable 
`staff name or staff group` application parameters. The persistent injected script code will be executed directly out 
of the `Staff`- or 
`Staff Edit` listing  when processing to manage the earlier inserted dbms context.

The vulnerabilities can be exploited with a privileged application user account and low or medium required user 
interaction. 
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, external 
redirect, external malware 
loads and persistent vulnerable module context manipulation.

Vulnerable Section(s):
                                [+] Tickets
                                [+] Base
                                [+] Live-Chat
                                [+] LanguagePhrase
                                [+] Staff

Vulnerable Module(s):
                                [+] Escalation/Insert - (Tickets)
                                [+] CustomFieldGroup/Manage - (Base)
                                [+] Staff/Insert & /Staff/Edit/1 - (Base)
                                [+] StaffGroup/Insert - (Base)
                                [+] LiveChat/Group/Manage - (Live-Chat)
                                [+] Manage/0 - Search  - (LanguagePhrase)

Vulnerable Parameter(s):
                                [+] Add tags & remove tags
                                [+] eMail User - Listing (Profile All Sections)
                                [+] Visitor Group Title & Group Color
                                [+] Search Query


Proof of Concept:
=================
The persistent inut validation vulnerabilities can be exploited by restricted low or medium privileged application user 
account with low 
required user interaction. For demonstration or reproduce ...


Review: Add tags & remove tags

<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Add 
Tags</span>
</td><td class="tablerow1" align="left" valign="top"><div class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF 
URL
(http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_taginput.gif) NO-REPEAT 4px 5px;"><ul 
class="swifttextautocomplete" 
jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_addtags"><li class="swifttextautocompleteinputcontainer 
swifttextautocompleteitem" 
tagid="><[PERSISTENT INJECTED SCRIPT CODE!] <><[PERSISTENT INJECTED SCRIPT CODE!] <<div 
class="swifttextautocompleteitemclose">
<img src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_tagx.gif"; align="absmiddle" border="0" 
/></div><input type="hidden" 
name="containertaginput_addtags[]" value="><[PERSISTENT INJECTED SCRIPT CODE!] <" ></[PERSISTENT INJECTED SCRIPT 
CODE!]></li>
<li class="swifttextautocompleteinputcontainer"><input class="swifttextautocompleteinput ac_input" 
name="taginput_addtags" 
id="taginput_addtags" value="Start typing to insert tags..." autocomplete="off" size="30" 
type="text"></li></ul></div><script type="text/javascript">
if (window.$UIObject) { window.$UIObject.Queue(function(){ UITagControl('addtags', '') }); }</script></td></tr>
<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Remove 
Tags</span></td>
<td class="tablerow1" align="left" valign="top"><div class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF URL
(http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_taginput.gif) NO-REPEAT 4px 5px;"><ul 
class="swifttextautocomplete" 
jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_removetags"><li class="swifttextautocompleteinputcontainer 
swifttextautocompleteitem" 
tagid="><[PERSISTENT INJECTED SCRIPT CODE!]<<div="" class="swifttextautocompleteitemclose">
<img src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_tagx.gif"; align="absmiddle" border="0" 
/></div><input type="hidden" 
name="containertaginput_removetags[]" value="><[PERSISTENT INJECTED SCRIPT CODE!]></li><li 
class="swifttextautocompleteinputcontainer">
<input class="swifttextautocompleteinput ac_input" name="taginput_removetags" id="taginput_removetags" value="Start 
typing to insert tags..." 
autocomplete="off" size="30" type="text"></li></ul></div><script type="text/javascript">if (window.$UIObject) { 
window.$UIObject.Queue(function()
{ UITagControl('removetags', '') }); }</script></td></tr>
</tbody>


Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Tickets/Escalation/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage



Review: Staff/Insert & /Staff/Edit/1 & StaffGroup/Insert

<tbody><tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" 
width="50%">&#8203;&#8203;&#8203;&#8203;&#8203;
<span class="tabletitle">Group Title</span></td>
<td class="tablerow1" align="left" valign="top"><input autocomplete="OFF" class="swifttext" 
name="title" id="title" 
value="<[PERSISTENT INJECTED SCRIPT CODE!]") <" size="30" type="text">
</td></tr>
<tr class="tablerow1_tr">
<td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Group Type</span><br><span 
class="tabledescription">
Custom fields must belong to a <b>custom field group</b>, which is further bound to an area of the product, such as 
ticket creation, live chat, 
user, user group etc.</span></td><td class="tablerow1" align="left" valign="top"><span 
class="tabledescription">User</span></td></tr>

<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span 
class="tabletitle">Visibility</span><br>
<span class="tabledescription">Specify the custom field group visibility, private groups are not visible to users 
within the client support 
center.</span></td><td class="tablerow1" align="left" valign="top"><label for="publicvisibilitytype"><input 
autocomplete="OFF" name="visibilitytype" 
class="swiftradio" id="publicvisibilitytype" value="1" checked="" type="radio"> Public</label>
<label for="privatevisibilitytype">
<input autocomplete="OFF" name="visibilitytype" id="privatevisibilitytype" value="0" type="radio"> Private</label>
</td></tr>

<tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">
Display Order</span><br>
<span class="tabledescription">If there are multiple groups within an area, they are sorted using the display order 
(ascending) specified here.
</span></td><td class="tablerow1" align="left" valign="top">&#8203;&#8203;&#8203;&#8203;&#8203;<input 
autocomplete="OFF" 
class="swifttextnumeric" name="displayorder" id="displayorder" value="1" size="10" type="text">
</td></tr>
</tbody>

Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Base/Staff/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/StaffGroup/Insert
http://rem0ve.137.0.0.1:8080/admin/Base/Staff/Edit/1



Review: CustomFieldGroup

<tbody><tr>
<td colspan="2" id="staffnavbar" valign="top">
<div id="cpmenu" style="height: 100%;"><div style="display: none;" id="customnavhtmlcontainer"></div><div id="" 
class="dialogcontainer">
<div class="dialogok"></div><div class="dialogokcontainer"><div class="dialogtitle">Inserted Custom Field Group "
<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <"</div><div class="dialogtext">
Successfully inserted custom field group "<b><[PERSISTENT INJECTED SCRIPT CODE!]") <</b>" into the 
database.<br><b>Title:</b> <[PERSISTENT INJECTED SCRIPT CODE!]") <<br><b>Type:</b> User<br><b>Display Order:</b> 
1<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</div></div></div>
<div id="gridcontentcustomfieldgroupgrid"><form name="form_customfieldgroupgrid" id="form_customfieldgroupgrid" 
action="http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage//"; method="post" onsubmit="javascript: return 
false;">
<input autocomplete="OFF" name="csrfhash" value="z2hvplh1kar0dm8rzvwmln0ilddeunsc" type="hidden"><div id="widthwrapper" 
style="width: 100%;">
<div id="gridtoolbar"><div class="gridtoolbarnew" id="gridextendedtoolbar"><div class="gridtoolbarsub">
<ul><li><a href="http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Insert"; viewport="1"><img 
src="Manage-Dateien/icon_addplus.gif" 
align="absmiddle" border="0"> New</a></li></ul></div></div>

Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage



Review: Live-Chat - Visitor Group Title


<div id="" class="dialogcontainer"><div class="dialogok"></div><div class="dialogokcontainer"><div class="dialogtitle">
Inserted Visitor Group "<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <"</div>

... or

div class="ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfix"><span 
id="ui-dialog-title-window_editgroup" 
class="ui-dialog-title"><img src="http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_window.gif"; 
align="absmiddle" 
border="0"> Edit Visitor Group: <[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") 
<
<[PERSISTENT INJECTED SCRIPT CODE!]></span>

Reference(s):
http://rem0ve.137.0.0.1:8080/admin/LiveChat/Group/Manage


Risk:
=====
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - 
www.vulnerability-lab.com/register
Contact:    admin () vulnerability-lab com      - support () vulnerability-lab com             - research () 
vulnerability-lab com
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com                  - 
news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a 
permission.

                                        Copyright © 2013 | Vulnerability Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com
Previous By Date Next
Previous By Thread Next

Current thread: