PT-2011-02: PHP code Injection in Kayako Support Suite Vulnerable softwareKayako Support Suite Version: 3.70.02-stable and earlier Application link: http://www.kayako.com/Severity levelSeverity level: High Impact: Arbitrary PHP code execution Access Vector: Network exploitable CVSS v2: Base Score: 6.5 Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)CVE: not assignedSoftware descriptionKayako Support Suite is a HelpDesk system.Vulnerability description Positive Research Center has discovered PHP code injection vulnerability in Kayako Support Suite.Application insufficiently verifies incoming data received via template editing form. An attacker with administration privileges can inject arbitrary PHP code via template editing feature with an expression like: <<??arbitary_php_code??>> Here is an example of URL script used for template editing: http://example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register The code is executed as user reqests from the page with modified template. How to fixUpdate your software up to the v4 Advisory status25.11.2011 - Vendor is notified 25.11.2011 - Vendor gets vulnerability details 25.08.2011 - Vendor releases fixed version and details 29.12.2011 - Public disclosureCreditsThe vulnerability was discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-02Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/advisory1.aspx http://en.securitylab.ru/lab/