[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] LiveZilla Cross Site Scripting Vulnerability
From: Rodrigo Branco <rbranco () checkpoint ! com>
Date: 2010-12-27 16:09:56
Message-ID: 50D13E31158CB84E8421A703294682FB1421D288F6 () USEXCHANGE ! ad ! checkpoint ! com
[Download RAW message or body]
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following \
vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
LiveZilla Cross Site Scripting Vulnerability
CVE-2010-4276
INTRODUCTION
Accordingly to LiveZilla GmbH, "the Next Generation Live Help and Live Support System connects \
you to your website visitors. Use LiveZilla to provide Live Chats and monitor your website \
visitors in real-time. Convert visitors to customers - with LiveZilla! "
This problem was confirmed in the following versions of the LiveZilla, other versions maybe \
also affected. LiveZilla released an update to fix the vulnerability.
LiveZilla v3.2.0.2
CVSS Scoring System
The CVSS score is: 6.4
Base Score: 6.7
Temporal Score: 6.4
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal score is: E:F/RL:U/RC:C
DETAILS
LiveZilla is affected by Reflected Cross Site Scripting in server.php, in the “module” track \
which calls a vulnerable javascript function.
This request:
http://<server>/livezilla/server.php?request=track&livezilla=<script>alert('xss')</script>
Will pass thru the following files:
htdocs\livezilla\server.php
htdocs\livezilla\track.php
htdocs\livezilla\templates\jscript\jstrack.tpl
And finally land in this excerpt of code:
---
207
208 function lz_tracking_set_sessid(_userId, _browId)
209 {
210 if(lz_session.UserId != _userId)
211 {
212 lz_session.UserId = _userId;
213 lz_session.BrowserId = _browId;
214 lz_session.Save();
215 }
216 }
217
---
The javascript file “jstrack.tpl” is called by track.php and contains a function named \
“lz_tracking_set_sessid()”. This function do not sanitize data and thus an attacker can \
inject a malicious javascript code allowing Reflected Cross Site Script attacks against users.
CREDITS
This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security \
company (http://www.conviso.com.br) and was researched internally by Rodrigo Rubira Branco from \
the Check Point Vulnerability Discovery Team (VDT).
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic