| VID |
210098 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Kayako SupportSuite software is vulnerable to an information disclosure vulnerability via the syncml/index.php script. Kayako SupportSuite is a help desk support system written in PHP. Kayako SupportSuite version 3.11.01 and possibly other versions could allow a remote attacker to obtain sensitive information. By sending a direct request to the syncml/index.php script, a remote attacker could obtain the contents of the "$_SERVER[]" array. This array contains information like the values of environment variables, full paths to the web root and the syncml/index.php script, and the web server administrator's e-mail address.
* References:
http://www.waraxe.us/advisory-63.html
http://www.securityfocus.com/archive/1/486762/30/0/threaded
http://secunia.com/advisories/28613
* Platforms Affected:
Kayako SupportSuite version 3.11.01 and possibly other versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
As a workaround, restrict access to the "syncml/index.php" script (e.g. with ".htaccess"). |
| Related URL |
CVE-2008-0395 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
39861 (ISS) |
|
