Thursday, October 10, 2013

So today, i will explain how i was able to get DB information of one sub-domain of Viber
or i can say how i was able to download forbidenn file "config.php"
Viber co. is using Helpdesk which is created by KAYAKO
and Till yesterday all Kayako Helpdesks were vulnerable to exposure of Config.php

Proof of concept

This is what Kayako Team replied when i reported them about this vulnerability in Helpdesk provided by them to big Companies like Viber

Now All helpdesk including viber support ticket submitting system is patched and is safe from this vulnerability.

P.S : Exploit was not mine, And i was unable to connect to DB server remotely because remote access are always disabled by default so viber team did not enabled it and i was not able to do anything with DB.