'[Full-disclosure] LiveZilla Cross Site Scripting Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] LiveZilla Cross Site Scripting Vulnerability
From:       Rodrigo Branco <rbranco () checkpoint ! com>
Date:       2010-12-27 16:09:56
Message-ID: 50D13E31158CB84E8421A703294682FB1421D288F6 () USEXCHANGE ! ad ! checkpoint ! com
[Download RAW message or body]

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following \
vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

LiveZilla Cross Site Scripting Vulnerability
CVE-2010-4276


INTRODUCTION

Accordingly to LiveZilla GmbH, "the Next Generation Live Help and Live Support System connects \
you to your website visitors. Use LiveZilla to provide  Live Chats and monitor your website \
visitors in real-time. Convert visitors to customers - with LiveZilla! "

This problem was confirmed in the following versions of the LiveZilla, other versions maybe \
also affected.  LiveZilla released an update to fix the vulnerability.

LiveZilla v3.2.0.2


CVSS Scoring System

The CVSS score is: 6.4
	Base Score: 6.7
	Temporal Score: 6.4
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
	Temporal score is: E:F/RL:U/RC:C


DETAILS

LiveZilla is affected by Reflected Cross Site Scripting in server.php, in the “module” track \
which calls a vulnerable javascript function.

This request: 
	http://<server>/livezilla/server.php?request=track&livezilla=<script>alert('xss')</script>
	
Will pass thru the following files:
htdocs\livezilla\server.php
htdocs\livezilla\track.php
htdocs\livezilla\templates\jscript\jstrack.tpl

And finally land in this excerpt of code:

---
207
208 function lz_tracking_set_sessid(_userId, _browId)
209 {
210 if(lz_session.UserId != _userId)
211 {
212 lz_session.UserId = _userId;
213 lz_session.BrowserId = _browId;
214 lz_session.Save();
215 }
216 }
217
---

The javascript file “jstrack.tpl” is called by track.php and contains a function named \
“lz_tracking_set_sessid()”.  This function do not sanitize  data and thus an attacker can \
inject a malicious javascript code allowing Reflected Cross Site Script attacks against users.



CREDITS

This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security \
company (http://www.conviso.com.br) and was researched internally by Rodrigo Rubira Branco from \
the Check Point Vulnerability Discovery Team (VDT).




Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic