LiveZilla - XSS Vulnerability

2009.12.30
Credit: MaXe
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

LiveZilla - Cross Site Scripting Vulnerability Version Affected: 3.1.8.3 (newest) Info: LiveZilla, the Next Generation Live Help / Live Chat and Live Support System connects you to your website visitors. Use LiveZilla to provide Live Chats and monitor your website visitors in real-time. Convert visitors to customers - with LiveZilla! Credits: InterN0T External Links: http://www.livezilla.net/ -:: The Advisory ::- The following files would together be vulnerable to Cross Site Scripting. 1. livezilla/templates/map.tpl (lines 18-20) var default_lat = <!--dlat-->; var default_lng = <!--dlng-->; var default_zom = <!--dzom-->; 2. livezilla/map.php (lines 15-28) if(isset($_GET["lat"])) $map = str_replace("<!--dlat-->",$_GET["lat"],$map); else $map = str_replace("<!--dlat-->","25",$map); if(isset($_GET["lng"])) $map = str_replace("<!--dlng-->",$_GET["lng"],$map); else $map = str_replace("<!--dlng-->","10",$map); if(isset($_GET["zom"])) $map = str_replace("<!--dzom-->",$_GET["zom"],$map); else $map = str_replace("<!--dzom-->","1",$map); Proof of Concept: (</script><script>alert(0)</script>) http://localhost/livezilla/map.php?lat=%3C/script%3E%3Cscript%3Ealert(%2 2InterN0T.net%22)%3C/script%3E Pseudo Proof of Concept: - Javascript functions could also have been executed inside the javascript where the vulnerable code is. -:: Solution ::- The following patch was supplied to the vendor: 1. livezilla/templates/map.tpl (lines 18-20) var default_lat = "<!--dlat-->"; var default_lng = "<!--dlng-->"; var default_zom = "<!--dzom-->"; 2. livezilla/map.php (lines 15-28) if(isset($_GET["lat"])) $map = str_replace("<!--dlat-->",htmlentities($_GET["lat"]),$map); else $map = str_replace("<!--dlat-->","25",$map); if(isset($_GET["lng"])) $map = str_replace("<!--dlng-->",htmlentities($_GET["lng"]),$map); else $map = str_replace("<!--dlng-->","10",$map); if(isset($_GET["zom"])) $map = str_replace("<!--dzom-->",htmlentities($_GET["zom"]),$map); else $map = str_replace("<!--dzom-->","1",$map); We used htmlentities() since we thought that would be the best solution. The other functions named htmlspecialchars(), urlencode() and raw_urlencode() could have been an alternative to the above. Disclosure Information: - Vulnerability found 27th December - Patch was made available 27th December - Disclosed on InterN0T 27th December - Vendor and Buqtraq (SecurityFocus) contacted the 27th December All of the best, MaXe

References:

http://www.securityfocus.com/archive/1/archive/1/508613/100/0/threaded
http://secunia.com/advisories/37990
http://osvdb.org/61348
http://forum.intern0t.net/intern0t-advisories/1998-intern0t-livezilla-cross-site-scripting-vulnerability.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top