ASP Help Desk Software | Security bulletin – SupportSuite and eSupport

Security bulletin – SupportSuite and eSupport

A recent discovery of a potentially exploitable XSS (cross-site scripting) vulnerability inside of the personnel control panel means that we have had to release an out-of-cycle patch to our customers.

Who needs to apply the patch

All customers running SupportSuite or eSupport 3.60.04 or earlier need to apply this patch as soon as possible.

About the flaw

The flaw can only be exploited by completely authenticated personnel users. But, with cross-site scripting, an attacker could trick your personnel users into clicking a legitimate looking link which triggers the exploit and could leak information such as your personnel user’s session data and cookie data.

How to apply the patch

You just need to replace on file in your support desk installation.

1. Visit the members’ area, click on the Patches tab.
2. Download the patch file under the “30th September 2009 advisory”.
3. Extract the ZIP file contents, which contains “functions_ticketsui.php”
4. Upload this file to your support desk installation, replacing the existing file:   ./modules/tickets/functions_ticketsui.php

It is vital that all of our customers apply this patch as soon as possible.

If you need help applying the patch

Please do not hesitate to get in touch with us – we’ll be pleased to help you apply the patch. Visit the members’ area, click on the Get Support tab to submit a support ticket.

Security housekeeping

Control panel IP restrictions

In 3.40.00, we added a feature which allows administrators to restrict which IP addresses can access the personnel and administrator control panels. You can specify these IP addresses in the ./config/config.php file, as shown below.

/**
* ENABLE IP RESTRICTION: This option allows you to restrict the admin,personnel,winapp,mobile,pda interfaces to a certain IP range
* 202.1.192.0-202.1.192.255: a range of IPs
* 200.36.161.0/24: a range of IP by by net masking
* 200.36.161/24: a shorten syntax similar to the above.
* Example: $_SWIFT['iprestrict'] = array('202.1.192.0-202.1.192.255', '200.36.161.0/24');
*/
$_SWIFT['iprestrict'] = array();

If you are able to isolate logins by IP addresses, we highly recommend you do so, as this means that if one of your personnel user’s login details is ever compromised, an attacker will still not be able to login to your control panels from IP addresses other than those you specify.

Filed Under Free Help Desk Software, Help Desk Software, Help Desk Software News | Leave a Comment

Tagged With

Comments

Sponsors

• Recent Posts

  • Latest Jira Help Desk Auctions
  • Latest Jira Help Desk Auctions
  • Latest Help Desk Software Auctions
  • Latest Jira Help Desk Auctions
  • Latest Help Desk Software Auctions
  • Latest Jira Help Desk Auctions
  • Latest Help Desk Software Auctions
  • Latest Jira Help Desk Auctions
  • Latest Help Desk Software Auctions
  • Latest Jira Help Desk Auctions
  • Latest Jira Help Desk Auctions
  • Latest Jira Help Desk Auctions
  • Latest Help Desk Software Auctions
  • Latest Help Desk Software Auctions
  • Latest Jira Help Desk Auctions

• Categories

  • ASP Help Desk Software
  • best help desk software
  • Free Help Desk Software
  • Help Desk Software
  • Help Desk Software News

• Recent Comments

  • shoent on Thermaltake SpinQ Video
  • vipersrules on Thermaltake SpinQ Video
  • JustDepends on Thermaltake SpinQ Video
  • TikiShootah on Thermaltake SpinQ Video
  • Chancellor521 on Thermaltake SpinQ Video

Tags

Auctions Best Business Center. Computer Customer desk Development Free Help Helpdesk HelpSTAR jira Latest Management Need Online... Outsourcing Service Services Software Solutions' Support System Testimonial