AOH :: HP Unsorted L :: BU-1345.HTM

LiveZilla - XSS Vulnerability



LiveZilla - XSS Vulnerability
LiveZilla - XSS Vulnerability



LiveZilla - Cross Site Scripting Vulnerability=0D
=0D
=0D
Version Affected: 3.1.8.3 (newest)=0D
=0D
Info:=0D
LiveZilla, the Next Generation Live Help / Live Chat and Live=0D
Support System connects you to your website visitors. Use=0D
LiveZilla to provide Live Chats and monitor your website visitors=0D
in real-time. Convert visitors to customers - with LiveZilla!=0D
=0D
Credits: InterN0T=0D
=0D
External Links:=0D
http://www.livezilla.net/=0D 
=0D
=0D
-:: The Advisory ::-=0D
The following files would together be vulnerable to Cross Site Scripting.=0D
=0D
1. livezilla/templates/map.tpl (lines 18-20)=0D
var default_lat = ;=0D
var default_lng = ;=0D
var default_zom = ;=0D
=0D
2. livezilla/map.php (lines 15-28)=0D
if(isset($_GET["lat"]))=0D
$map = str_replace("",$_GET["lat"],$map);=0D
else=0D
$map = str_replace("","25",$map);=0D
=0D
if(isset($_GET["lng"]))=0D
$map = str_replace("",$_GET["lng"],$map);=0D
else=0D
$map = str_replace("","10",$map);=0D
=0D
if(isset($_GET["zom"]))=0D
$map = str_replace("",$_GET["zom"],$map);=0D
else=0D
$map = str_replace("","1",$map);=0D
=0D
=0D
Proof of Concept: ()=0D
http://localhost/livezilla/map.php?lat=%3C/script%3E%3Cscript%3Ealert(%22InterN0T.net%22)%3C/script%3E=0D 
=0D
Pseudo Proof of Concept:=0D
- Javascript functions could also have been executed inside the javascript where the vulnerable code is.=0D
=0D
-:: Solution ::-=0D
The following patch was supplied to the vendor:=0D
1. livezilla/templates/map.tpl (lines 18-20)=0D
var default_lat = "";=0D
var default_lng = "";=0D
var default_zom = "";=0D
=0D
2. livezilla/map.php (lines 15-28)=0D
if(isset($_GET["lat"]))=0D
$map = str_replace("",htmlentities($_GET["lat"]),$map);=0D
else=0D
$map = str_replace("","25",$map);=0D
=0D
if(isset($_GET["lng"]))=0D
$map = str_replace("",htmlentities($_GET["lng"]),$map);=0D
else=0D
$map = str_replace("","10",$map);=0D
=0D
if(isset($_GET["zom"]))=0D
$map = str_replace("",htmlentities($_GET["zom"]),$map);=0D
else=0D
$map = str_replace("","1",$map);=0D
We used htmlentities() since we thought that would be the best=0D
solution. The other functions named htmlspecialchars(), urlencode()=0D
and raw_urlencode() could have been an alternative to the above.=0D
=0D
Disclosure Information:=0D
- Vulnerability found 27th December=0D
- Patch was made available 27th December=0D
- Disclosed on InterN0T 27th December=0D
- Vendor and Buqtraq (SecurityFocus) contacted the 27th December=0D
=0D
=0D
All of the best,=0D
MaXe 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.