On Thu, Aug 17, 2006 at 12:52:44PM -0700, Erik Stephens wrote: > I came across a 2.3.5 version of eKayako that is still vulnerable. Have you tried the exploit manually to confirm it is indeed vulnerable? > The > solution recommends upgrading to version 2.3.1 or later. The Bugtraq > discussion does not mention any patches. This Gulftech page claims > otherwise: > > http://www.gulftech.org/?node=research&article_id=00056-12182004 Note that this advisory cross-references BID 12037, which is not listed in the plugin. While I originally wrote this plugin, I now think the link to the GulfTech advisory is incorrect; instead, I will shortly update it to point to: http://www.securityfocus.com/archive/1/393946 http://forums.kayako.com/showthread.php?t=2689 The second is the vendor's announcement of the 2.3.1 release. While that offers no specifics, it does credit "James from GulfTech" as discovering the flaws that are being fixed. Btw, when Bercegay released his advisory on 12/18/2004, there was no solution available at the time; eg, see: http://www.securityfocus.com/archive/1/384882 although he anticipated one "soon". Compare that with a subsequent advisory: http://www.gulftech.org/?node=research&article_id=00092-07302005 which mentions Kayako developers asking for 3 months to resolve some later issues. > How to solve? Assuming the flaw does indeed exist and you're really looking at 2.3.5, I think the best thing would be to contact the vendor. Perhaps the issue was reintroduced after being fixed? George -- theall@private _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 13:49:30 PDT