Crafty Syntax Live Help Update 3.4.4 two minor security issues were discovered.
Crafty Syntax Live Help (CSLH) is an open source live support solution that helps customer support with live help functionality that can be proactively pushed to visitors to your site or requested by the consumer.
Crafty Syntax includes a large range of features to allow multiple operators, multiple departments and multiple languages to be used. Crafty Syntax Live Help is free and is progammed in PHP with Mysql for the datatabase.
Other highlighted features include the ability to create your own questions, auto inviting visitors, referer tracking, page tracking, ability to view what the customer is typing as they type, multiple chat sessions, sound alert, leave a message if offline, push urls, quick responses, Customizable graphics, and multiple operators.
Changes Details
The Patch for both of these is detailed below.
Both of these security issues are VERY MINOR. The admin.php can not be accessed by the public so the remote file vulnerabiy can only be exploited by operators which makes it very hard to exploit.
Additonally it is not executed code so not remote code can be run on the server.
The full path disclosure allows hackers to see the full path to your installation but nothing more. This has been fixed as well.
+ Crafty Syntax Live Help <= (2.*.* & 3.*.*) RFI + Path Disclosure
- 1) Remote File Include : admin.php
if(!(isset($UNTRUSTED[‘page’]))){ $UNTRUSTED[‘page’] = “scratch.php”; }
http://localhost/path/admin.php?page=[RFI] - 2) Full Path Disclosure: xmlhttp.php
Dork: inurl:”/xmlhttp.php” Notice: Undefined index: whattodo in
Patch for Above
- Open up admin.php and update line #45 to be:
<frame src=”<?php echo $page; ?>?help=<?php echo $UNTRUSTED[‘help’] . $alttab; ?>” name=”contents” scrolling=”AUTO” border=”0″ marginheight=”0″ marginwidth=”0″ NORESIZE>add these lines after line #38:
$page = “scratch.php”;
if($UNTRUSTED[‘page’]==”scratch.php”){ $page = “scratch.php”; }
if($UNTRUSTED[‘page’]==”mastersettings.php”){ $page = “mastersettings.php”; }
if($UNTRUSTED[‘page’]==”help.php”){ $page = “help.php”; }
if($UNTRUSTED[‘page’]==”edit_layer.php”){ $page = “edit_layer.php”; }
if($UNTRUSTED[‘page’]==”edit_smile.php”){ $page = “edit_smile.php”; }
if($UNTRUSTED[‘page’]==”operators.php”){ $page = “operators.php”; }
if($UNTRUSTED[‘page’]==”departments.php”){ $page = “departments.php”; }
if($UNTRUSTED[‘page’]==”data.php”){ $page = “data.php”; }
if($UNTRUSTED[‘page’]==”modules.php”){ $page = “modules.php”; } - Open up xmlhttp.php and change line #52:
if(empty($UNTRUSTED[‘whattodo’])){ $UNTRUSTED[‘whattodo’] = “”; }remove line #53:
$whattodo = “”;
Files Changed
- setup.php
- xmlhttp.php
- admin.php
- navigation.php,
More Information
- Try Online Demo:
Crafty Syntax Live Help (Softaculous external link)
Crafty Syntax Live Help Changelog (Official website, external link)
- Start Crafty Syntax Live Help:
In order to use Crafty Syntax Live Help you need a domain name (ex. yoursite.com) and web hosting service.
If you don’t have a domain name Register a Domain Name.
To install Crafty Syntax Live Help choose one of our hosting plans. (all our packages includes Softaculous).
- Hosted Crafty Syntax Live Help
Contact us if you don’t need a domain or hosting service, and want to use Crafty Syntax Live Help anyway.
[otw_is sidebar=otw-sidebar-8]
Blog: News & Updates |
|
| [otw_is sidebar=otw-sidebar-5] | [otw_is sidebar=otw-sidebar-6] |