[AJS_ADVISORIES_05&2010] Kayako eSupport v3.11.01 (index.php?_m=tickets&_a=submit) Arbitrary File Upload Vulnerability

-----------------------------------------------------------------------------------------
[AJS_ADVISORIES_05&2010] Kayako eSupport v3.11.01 (index.php?_m=tickets&_a=submit) Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------------------------
Author : Shamus
Date : October, 10th 2010
Location : Solo && Jogjakarta, Indonesia
Web : http://antijasakom.net/forum
Critical Lvl : Low
Impact : User may upload malicious files to server
Where : From Remote
---------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Kayako eSupport
Version : Kayako eSupport v3.11.01
Vendor : Kayako
Download : http://www.kayako.com/
Description :
Leading help desk software. Powerful and flexible, adaptable to your organization.
We offer market leading, business-class help desk software solutions that are affordable to companies, organizations and businesses of all sizes.
Kayako helpdesk software is turn-key and very easy to set up, requiring nothing more than an average web server.
Be up and running in a matter of minutes using the automatic installer.

Synchronise tasks, appointment and contact with Microsoft Outlook.
Share logins with third-party databases (including Active Directory).
Manage your tickets on and offline with your Windows Mobile smartphone. Receive ticket alerts directly to your desktop.

We offer a variety of add-on products, and offer license options allowing access to the majority of our application source code;
enabling you and our development community to develop, customize and share.
--------------------------------------------------------------------------


Vulnerability:
~~~~~~~~~~~~
- By this form input is possible to upload a file to the server.


PoC/Exploit:
~~~~~~~~~~
open the site - http://support.stupidsite.com/index.php?_m=news&_a=viewnews&newsid=2
then click "Submit a Ticket".
after you click, will open
- http://support.stupidsite.com/index.php?_m=tickets&_a=submit
select a Department, then click next. upload your files into the server from there.

exmple site:
- http://support.111pix.com/index.php?_m=news&_a=viewnews&newsid=2
- http://support.ultimatelocator.com/index.php?_m=news&_a=viewnews&newsid=14
- http://support.smartbees.com.my/index.php?_m=news&_a=viewnews&newsid=2

Dork:
~~~~~
Google :
- inurl:index.php?newsid powered by kayako eSupport v3.11.01
OR
- Help Desk Software By Kayako eSupport v3.11.01

Solution:
~~~~~
- Check if the script inputs are properly validated.


Timeline:
~~~~~~~
- 07 - 10 - 2010 bug found
- 07 - 10 - 2010 no vendor contacted [certainly would never]
- 10 - 10 - 2010 advisory release
---------------------------------------------------------------------------


Shoutz:
~~~~~~~
oO0::::: Greetz and Thanks: :::::0Oo.
Tuhan YME
My Parents
SPYRO_KiD
K-159
lirva32
newbie_campuz

And Also My LuvLy wife :
..::.E.Z.R (The deepest Love I'v ever had..).::..

in memorial :
1. Monique
2. Dewi S.
3. W. Devi Amelia
4. S. Anna

oO0:::A hearthy handshake to: :::0Oo
~ Crack SKY Staff
~ Echo staff
~ antijasakom staff
~ jatimcrew staff
~ whitecyber staff
~ lumajangcrew staff
~ devilzc0de staff
~ unix_dbuger, boys_rvn1609, jaqk, byz9991, bius, g4pt3k, anharku, wandi, 5yn_4ck, kiddies, bom2, untouch, antcode
~ arthemist, opt1lc, m_beben, gitulaw, luvrie, poniman_coy, ThePuzci, x-ace, newbie_z, petunia, jomblo.k, hourexs_paloer, cupucyber, kucinghitam, black_samuraixxx, ucrit_penyu, wendys182, cybermuttaqin
~ k3nz0, thomas_ipt2007, blackpaper, nakuragen, candra, dewa
~ whitehat, wenkhairu, Agoes_doubleb, diki, lumajangcrew a.k.a adwisatya a.k.a xyberbreaker, wahyu_antijasakom
~ Cruz3N, mywisdom,flyff666, gunslinger_, ketek, chaer.newbie, petimati, gonzhack, spykit, xtr0nic, N4ck0, assadotcom, Qrembiezs, d4y4x, gendenk
~ All people in SMAN 3
~ All members of spyrozone
~ All members of echo
~ All members of newhack
~ All members of jatimcrew
~ All members of Anti-Jasakom
~ All members of whitecyber
~ All members of Devilzc0de
#e-c-h-o, #K-elektronik, #newhack, #Solohackerlink, #YF, #defacer, #manadocoding, #jatimcrew, #antijasakom, #whitecyber, #devilzc0de
---------------------------------------------------------------------------


Contact:
~~~~~~~~~
Shamus : Shamus@antijasakom.net
Homepage: https://antijasakom.net/forum/viewtopic.php?f=38&t=668
-------------------------------- [ EOF ] ----------------------------------