——-Summary——Software: SupportSuiteSowtware's Web Site: http://www.kayako.comVersions: 3.00.32Class: RemoteStatus: UnpatchedExploit: AvailableSolution: Not AvailableDiscovered by: imei AddmimistratorRisk Level: Medium——Description—–Supportsuite , a great product of kayako, Ideal for providing ticketbased support, is prone to XSS attack in multiple internal files.{morethan 300 files} Use of unsafe variable PHP_SELF in so many files of supprtsuite, makesthis program vulnerable against XSS attacks. The bug is in result ofusing PHP_SELF variable that is unsafe in many version of PHP insideof parameter used in function trigger_error().Product has an "Anti Full path disclosure" approach come here: if (!defined("INSWIFT")) {trigger_error("Unable to process $PHP_SELF", E_USER_ERROR);}As it's obvious, It has a weakness against XSS. VISITE ORIGINAL ADVISORY FOR MORE DETAILS> http://myimei.com/security/2007-12-06/supportsuite-31101-multiple-file-php-self-xss.html -------BTW I have no idea what's wrong with moderators. they said my old posthas no detail and ask me for more details. I sent much posts like thatand users could refer to original advisory for understanding bug.Should you always keep entire text in your site instead of poor bugfinder or its a really new policy!--imei AddmimistratorVisit my SeQrity Homepage at:http://myimei.com/security
