Security bulletin – SupportSuite and eSupport

Posted by Jamie Edwards on September 30, 2009 – 4:58 PM

A recent discovery of a potentially exploitable XSS (cross-site scripting) vulnerability inside of the staff control panel means that we have had to release an out-of-cycle patch to our customers.

Who needs to apply the patch

All customers running SupportSuite or eSupport 3.60.04 or earlier need to apply this patch as soon as possible.

About the flaw

The flaw can only be exploited by fully authenticated staff users. However, with cross-site scripting, an attacker could trick your staff users into clicking a legitimate looking link which triggers the exploit and could leak information such as your staff user’s session data and cookie data.

How to apply the patch

You just need to replace on file in your support desk installation.

Visit the members’ area, click on the Patches tab.
Download the patch file under the “30th September 2009 advisory” that corresponds to your SupportSuite or eSupport version
1. If you are running a version earlier than 3.11, you will need to perform a full upgrade to 3.60.04 and then apply the patch
Extract the ZIP file contents, which contains “functions_ticketsui.php”
Upload this file to your support desk installation, replacing the existing file: ./modules/tickets/functions_ticketsui.php

It is important that all of our customers apply this patch as soon as possible.

If you need assistance applying the patch

Please do not hesitate to get in touch with us – we’ll be happy to help you apply the patch. Visit the members’ area, click on the Get Support tab to submit a support ticket.

Security housekeeping

Control panel IP restrictions

In 3.40.00, we added a feature which allows administrators to restrict which IP addresses can access the staff and administrator control panels. You can specify these IP addresses in the ./config/config.php file, as shown below.

/**
* ENABLE IP RESTRICTION: This option allows you to restrict the admin,staff,winapp,mobile,pda interfaces to a certain IP range
* 202.1.192.0-202.1.192.255: a range of IPs
* 200.36.161.0/24: a range of IP by using net masking
* 200.36.161/24: a shorten syntax similar to the above.
* Example: $_SWIFT['iprestrict'] = array('202.1.192.0-202.1.192.255', '200.36.161.0/24');
*/
$_SWIFT['iprestrict'] = array();

If you are able to isolate logins by IP addresses, we highly recommend you do so, as this means that if one of your staff user’s login details is ever compromised, an attacker will still not be able to login to your control panels from IP addresses other than those you specify.

8 Comments

Joost Sanders

Posted September 30, 2009 at 9:19 PM Permalink

Good to see you guys took our incident report seriously! And good work on bringing out a patch for it so quickly.
Arlen Cuss

Posted September 30, 2009 at 11:11 PM Permalink

Thanks guys.
Carlos Oliveros

Posted October 1, 2009 at 3:16 PM Permalink

Thanks for the patch.

Regards
cenourinha

Posted October 2, 2009 at 3:38 PM Permalink

Patch applied.
Paul

Posted October 3, 2009 at 12:47 AM Permalink

Your post says “eSupport 3.60.04 or earlier”, but this patch doesn’t work for 3.00.32. Please advise.
Jamie Edwards

Posted October 3, 2009 at 1:22 PM Permalink

@Paul – Visit the patch area again, try the patch for 3.11. If that doesn’t work, I am afraid you will need to upgrade (you really should, as you are exposed to many serious security vulnerabilities by running such an outdated version).
Michael Rutkowski

Posted October 20, 2009 at 9:57 AM Permalink

Thank you for the patch. Greate that you look on xss because thats a huge problem for many sites!

thx and regards,
Michael
Gustavo Ruiz

Posted November 24, 2009 at 6:23 PM Permalink

Thanks for your help and updates guys!

Kayako blog