/¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\ :Zendesk Multiple Vulnerabilities : \________________________________/ /Discovered By: \ |Luis Santana | \________________________________/ Overview ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ Luis Santana of the HackTalk Security team has found multiple vulnerabilities in Zendesk. Product Information ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ Product/Script: Zendesk Affected Version: Vulnerability Type: Multiple Security Risk: Multiple Vendor URL: http://zendesk.com Product/Script Demo: Vendor Status: Notified Patch/Fix Status: Patches Made Advisory Timeline: July 31st 9:34am EST - Zendesk Contacted about XSS July 31st 12:42pm EST - Ticket passed to Security Department July 31st 10:46pm EST - Zendesk has started producing patch. Given the go ahead to publicly disclose July 31st 1:00am EST - Found CSRF, continuing investigation August 1st 3:49pm EST - CSRF Patch in production August 4th 3:51am EST - CSRF patch being rolled out August 10th 3:36pm EST - Given the ok to post advisory publicly Advisory URL: http://hacktalk.net/exploit/exploit.php?n=10 Product Description ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ Web-based customer support software with elegant ticket mnagement and a self-service customer community platform. Agile, smart and convenient. (From http://www.zendesk.com) Vulnerability Details ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ XSS - The email address field of the anonymous_requests page is vulnerable to XSS due to lack of input sanitation. By crafting a malcious POST request an attacker is able to inject HTML, Javascript or AJAX into the anonymous_requests page. CSRF - Due to a lack of input sanitation many forms are vulnerable to CSRF. The most notable example is the new user creation form which allows an attacker to create a new administrative user. Proof of Concept ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ XSS -
CSRF -

Name Display name used throughout the help desk.

Email Used when logging in.

Twitter account

Phone number Optional.

Time zone

Photo An optional smiling face. For the best results, upload a photo with equal length and height.

Detailed information

Optional detailed information concerning this user, e.g. an address. This information is visible to agents only, never to end-users.

Notes

Optional notes concerning this user. Notes can also be added/edited for a requester directly on the ticket form page.
Notes are visible to agents only, never to any end-user.

Organization

Leave blank to select default organization according to organization mappings.

Role - privileges granted to this user

End-user. Submits support tickets to the help desk.

Has access to:

Tickets requested by user only

Tickets from user's organization

Note - if the user belongs to a shared organization, then the user always has access to tickets in the organization.

Agent. Help desk operator. Receives and resolves tickets from end-users.

Admin. Manages the help desk with regard to rules, users, organizations, groups and SLA's. Has access to all tickets.

Patch/Fix Suggestion(s) ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ Upgrade to the latest version of Zendesk as they have released patches for these vulnerabilities. Security Risk ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ XSS - Low CSRF - Mid Author: ~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~ The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team