ClickDesk Multiple Persistent XSS
Product: ClickDesk a [ cross platform live chat and support plugin ]
Security-Risk: High
Remote-Exploit: yes
Advisory-Status: NotPublished
Discovered by: Owais Mehtab
Greets To: Mirza Burhan Baig, Muhammad Waqar, Muhammad Ali Baloch, Navaid Zafar Ansari
Affected Products:
ClickDesk <=4.3
Tested on wordpress 3.8.1
"Live Chat Plugin"
More Details
I have discsovered a persistent Cross site scripting (XSS) inside
ClickDesk,the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
Proof of Concept
1-Live Chat XSS
go to any website having ClickDesk Live Chat installed,
Click on the "Live Chat widget" and set the below vector in name field
Now click on initiate chat
Wollah.. here you go with your own Cookie!
2-Email XSS
go to any website having ClickDesk Live Chat installed,
Click on the "Live Chat widget", this time select the email option and set the below vector in message field
Now Click on submit
Wollah.. again here you go with your own Cookie!
Edit the source code to ensure that input is properly sanitised.
Owais Mehtab