Kayako eSupport is "one of the most feature packed support systems; in this tour you will find why over a thousand companies have decided to opt for eSupport and use it to process their daily support requests".
The Kayako eSupport product has been found to contain multiple vulnerabilities that range from cross site scripting issues to SQL injection vulnerabilities.
Cross Site Scripting:
A cross site scripting vulnerability exists in Kayako eSupport. This vulnerability exists due to user supplied input not being checked properly. Below is an example. http://path/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]
This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.
SQL Injection:
Kayako eSupport is prone to SQL Injection in a number of places. Below are some examples of URL's that could be used to take advantage of these vulnerabilities. http://path/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]
http://path/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no
http://path/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[SQL]
http://path/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=
These is also an SQL Injection vulnerability in the "Home > Ticket Status > Forgot Key" feature. This can be take advantage of by putting a malicious query in the email field. Because of the location of the unchecked variable in the query, it makes it easy for an attacker to use these issues to query just about any info from the underlying database. It should also be noted that the attacker does not need to be logged in to Kayaki eSupport in order to exploit these SQL injections.
