[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] LiveZilla Cross Site Scripting Vulnerability (XSS) - CVE-2010-4276

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] LiveZilla Cross Site Scripting Vulnerability (XSS) - CVE-2010-4276
From: Rodrigo Branco <rbranco@xxxxxxxxxxxxxx>
Date: Mon, 27 Dec 2010 08:09:56 -0800

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

LiveZilla Cross Site Scripting Vulnerability
CVE-2010-4276


INTRODUCTION

Accordingly to LiveZilla GmbH, "the Next Generation Live Help and Live Support 
System connects you to your website visitors. Use LiveZilla to provide 
Live Chats and monitor your website visitors in real-time. Convert visitors to 
customers - with LiveZilla! "

This problem was confirmed in the following versions of the LiveZilla, other 
versions maybe also affected.  LiveZilla released an update to fix the 
vulnerability.

LiveZilla v3.2.0.2


CVSS Scoring System

The CVSS score is: 6.4
        Base Score: 6.7
        Temporal Score: 6.4
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
        Temporal score is: E:F/RL:U/RC:C


DETAILS

LiveZilla is affected by Reflected Cross Site Scripting in server.php, in the 
“module” track which calls a vulnerable javascript function.

This request: 
        
http://<server>/livezilla/server.php?request=track&livezilla=<script>alert('xss')</script>
        
Will pass thru the following files:
htdocs\livezilla\server.php
htdocs\livezilla\track.php
htdocs\livezilla\templates\jscript\jstrack.tpl

And finally land in this excerpt of code:

---
207
208 function lz_tracking_set_sessid(_userId, _browId)
209 {
210 if(lz_session.UserId != _userId)
211 {
212 lz_session.UserId = _userId;
213 lz_session.BrowserId = _browId;
214 lz_session.Save();
215 }
216 }
217
---

The javascript file “jstrack.tpl” is called by track.php and contains a 
function named “lz_tracking_set_sessid()”.  This function do not sanitize 
data and thus an attacker can inject a malicious javascript code allowing 
Reflected Cross Site Script attacks against users.



CREDITS

This vulnerability has been brought to our attention by Ulisses Castro from 
Conviso IT Security company (http://www.conviso.com.br) and was
researched internally by Rodrigo Rubira Branco from the Check Point 
Vulnerability Discovery Team (VDT).




Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Musntlive 2011 crystal security ball
Next by Date: [Full-disclosure] DD-WRT Information Disclosure Vulnerability
Previous by thread: Re: [Full-disclosure] Musntlive 2011 crystal security ball
Next by thread: [Full-disclosure] DD-WRT Information Disclosure Vulnerability
Index(es):
- Date
- Thread