lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 15 Dec 2013 00:07:35 GMT
From: zoczus@...il.com
To: bugtraq@...urityfocus.com
Subject: LiveZilla 5.1.2.0 Multiple Stored XSS in webbased operator client

Author: Jakub Zoczek [zoczus@...il.com]
CVE Reference: CVE-2013-7032
Product: LiveZilla 
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version: 5.1.2.0
Severity: Medium
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 
Status: Fixed

0x01 Background

LiveZilla, the widely-used and trusted Live Help and Live Support System.

0x02 Description

LiveZilla in version 5.1.2.0 is prone to multiple stored cross-site scripting vulnerabilities in Webbased Operator Client. Attacker is able to execute arbitrary javascript code in context of operator browser by providing xss payloads into unfiltered fields - details below.


0x03 Proof of Concept

- File Names - this issue is really similar to CVE-2013-7003. LiveZilla fixed it by escaping displayed file name when customer want send it to operator. Unfortunately it is unescaped after succesful upload.
- Also - after upload LiveZilla creates 'resources' with those files. Filenames are escaped properly there, but names of customers don't. We can use simple, widely-known XSS payloads to exploit this vulnerability.

0x04 Fix

Vulnerability was fixed in LiveZilla 5.1.2.1 version.

0x05 Timeline

08.12.2013 - Vendor notified
09.12.2013 - Vendor responded with informations about planned release 
10.12.2013 - Version 5.1.2.1 released
15.12.2013 - Public Disclosure

Powered by blists - more mailing lists