 | View Full Version : Security issue in Kayako helpdesk? AH-Tina 12-22-2004, 01:36 PM See: http://www.zone-h.org/advisories/read/id=6609 Is there a fix for this yet? I can't get into the Kayako forums, at the moment. --Tina jt2377 12-22-2004, 02:05 PM Originally posted by AH-Tina See: http://www.zone-h.org/advisories/read/id=6609 Is there a fix for this yet? I can't get into the Kayako forums, at the moment. --Tina SQL Injection Vulnerabilities - there is no way to patch that. what you can do is to make the feedback (error code) unreadable by hacker. that's what my professor told me. fraudgate 12-22-2004, 02:09 PM Hiren posted an announcement about this: This is in reference to the article posted by 'James Bercegay' on their website gulftech.org. This is to confirm that we have not received any emails from him in regard to the issues he has mentioned in his article neither have we received any correspondence from him letting us know how the reported issues can be replicated. With reference to the issues he has mentioned in his article, we have verified each and every section mentioned and the database variables are properly escaped. The files mentioned are not encoded and our clients can verify this by opening those files. So to sum it up we have not found any SQL Injection attacks at any of his reported issues. On reading the article we have tried to get in touch with him. Since there was no contact information supplied on the site, we had to scour through the forum posts at WHT and found an email and emailed the person for detailed information but have yet to receive any reply on that. We will be updating all our clients with further status updates as soon as we have more information available. Regards, Hiren Mehta |