LivePerson, ProvideChat are vulnerable to XSS

Sponsored Links
GreyHat hacker called "Sony", from insecurity.ro, discovered cross site scripting vulnerability in LivePerson and ProvideChat applications.


Live Chat Software Provide Chat is the smarter, easier, more affordable way to chat live and help your online visitors.Hacker found the XSS vulnerability in orgId field of Unavailable.php file.

POC:
http://providechat.com/_chat/unavailable.php?orgId=[our xss is here]

LivePerson creates meaningful, real time customer connections that help businesses increase conversions and improve consumer experience.

Hacker spoke with Tech support and asked who uses the LivePerson. They replied that they have currently
over 8,500 clients, including many Fortune 500 companies such as Verizon, Adobe, Cisco, Estee Lauder, Home Depot, Neiman Marcus, Panasonic, Bank of America, Chase, HSBC, Microsoft, HP, IBM, Hoovers and Citibank.


Hacker provided as demo for the Safe Credit Union and American Airlines Federal Credit Union websites. Also some other high profile and online bank sites including Busey Bank,Del Norte Credit Union, San Diego Metrpolitan Credit Union, Bank Financial,Baton Rouge Telco Federal Credit Union are vulnerable to this XSS attack.

POC:
http://server.iad.liveperson.net/visitor/68511475/window/window_main.asp?site=68511475[our xss is here]&page=&loginsso=

https://server.iad.liveperson.net/visitor/LPaaefcu_mbrsrvs/window/main.asp?site=LPaaefcu_mbrsrvs%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E&page=&loginsso=
Category: / /

Share this with Your friends:


About Author

, founder of E Hacking News, an Information Security enthusiast who has more interest in PenTesting and Malware analysis. You can find him on Google+ Profile , Twitter and Facebook.