exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ClickDesk 4.3 Cross Site Scripting

ClickDesk 4.3 Cross Site Scripting
Posted Mar 4, 2014
Authored by Owais Mehtab

ClickDesk versions 4.3 and below suffer from multiple persistent cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2014-9211
SHA-256 | 344fe9de1d611e0634831da9f2d4b854bfccfac96330419b32ed688d72f409ad

ClickDesk 4.3 Cross Site Scripting

Change Mirror Download
ClickDesk Multiple Persistent XSS

Details
========================================================================================
Product: ClickDesk a [ cross platform live chat and support plugin ]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.clickdesk.com/
Advisory-Status: NotPublished

Credits
========================================================================================
Discovered by: Owais Mehtab
Greets To: Mirza Burhan Baig, Muhammad Waqar, Muhammad Ali Baloch, Navaid Zafar Ansari

Affected Products:
========================================================================================
ClickDesk <=4.3
Tested on wordpress 3.8.1

Description
========================================================================================
"Live Chat Plugin"

More Details
========================================================================================
I have discsovered a persistent Cross site scripting (XSS) inside
ClickDesk,the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
1-Live Chat XSS
---------------
go to any website having ClickDesk Live Chat installed,


Click on the "Live Chat widget" and set the below vector in name field

"><img src=O onerror=prompt(document.cookie);>

Now click on initiate chat

Wollah.. here you go with your own Cookie!


2-Email XSS
-----------
go to any website having ClickDesk Live Chat installed,

Click on the "Live Chat widget", this time select the email option and set the below vector in message field

"><img src=O onerror=prompt(document.cookie);>

Now Click on submit

Wollah.. again here you go with your own Cookie!



Solution
========================================================================================
Edit the source code to ensure that input is properly sanitised.


--
Regards,
Owais Mehtab
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close