| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201312150007.rBF07ZnZ016784@sf01web3.securityfocus.com> Date: Sun, 15 Dec 2013 00:07:35 GMT From: zoczus@...il.com To: bugtraq@...urityfocus.com Subject: LiveZilla 5.1.2.0 Multiple Stored XSS in webbased operator client Author: Jakub Zoczek [zoczus@...il.com] CVE Reference: CVE-2013-7032 Product: LiveZilla Vendor: LiveZilla GmbH [http://livezilla.net] Affected version: 5.1.2.0 Severity: Medium CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Status: Fixed 0x01 Background LiveZilla, the widely-used and trusted Live Help and Live Support System. 0x02 Description LiveZilla in version 5.1.2.0 is prone to multiple stored cross-site scripting vulnerabilities in Webbased Operator Client. Attacker is able to execute arbitrary javascript code in context of operator browser by providing xss payloads into unfiltered fields - details below. 0x03 Proof of Concept - File Names - this issue is really similar to CVE-2013-7003. LiveZilla fixed it by escaping displayed file name when customer want send it to operator. Unfortunately it is unescaped after succesful upload. - Also - after upload LiveZilla creates 'resources' with those files. Filenames are escaped properly there, but names of customers don't. We can use simple, widely-known XSS payloads to exploit this vulnerability. 0x04 Fix Vulnerability was fixed in LiveZilla 5.1.2.1 version. 0x05 Timeline 08.12.2013 - Vendor notified 09.12.2013 - Vendor responded with informations about planned release 10.12.2013 - Version 5.1.2.1 released 15.12.2013 - Public Disclosure
Powered by blists - more mailing lists