Friday, September 4

Tag: programmer

Exploit, Software

Kayako Fusion Exploit uncovered CRITICAL

Recently I noticed in testing the Kayako Live chat and support software labeled as Fusion (most current version) has an exploit. In lengthy chat conversations with their tech teams, they have classified this exploit as a "optional feature" missing from the current version. They sent me to this developer link. Hmm. Here's the scenario. You have a current protected knowledgebase of information, available only to paying customers. Customers that you have to whitelist or allow as registered users. You also use their mail parser mechanism for parsing emails from customers (and all others). To exploit the passworded and [level-premier-free]permissioned knowledgebase, one only needs to send an email to one of any potential parsed domains (parsed via Kayako Fusion) and you are automatically whi...