LiveZilla 5.1.1.0 Cross Site Scripting

`Author: Jakub Zoczek [[email protected]]  
CVE Reference: CVE-2013-7003  
Product: LiveZilla   
Vendor: LiveZilla GmbH [http://livezilla.net]  
Affected version: 5.1.1.0  
Severity: Medium  
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)  
Status: Fixed  
  
  
0x01 Background  
  
LiveZilla, the widely-used and trusted Live Help and Live Support System.  
  
0x02 Description  
  
LiveZilla in version 5.1.1.0 is prone to multiple Stored Cross-Site Scripting issues in Webbased Operator Client and LiveZilla Client. Attacker can put payloads in fields like "full name" , "company", or create crafted filename to exploit this vulnerability.  
  
0x03 Proof of Concepts  
  
Name and Surname variant:   
  
My name is Jakub and this is looong username <img src="a" onerror="alert(document.cookie)">h  
  
Operator who will try to chat with attacker with this name will get javascript code executed.  
  
Screenshots:  
  
http://postimg.org/image/orvwl36on/  
http://postimg.org/image/uhh72ij6f/  
http://postimg.org/image/6f0d7n2jb/  
http://postimg.org/image/6hk8uh66v/  
http://postimg.org/image/7z5p61axj/  
  
Uploaded filename variant:   
  
If attacker (while chatting) will try to upload specially crafted file with name: c"><img src="a" onerror="alert(document.cookie)">hh.jpg - then operator would get javascript code execution without any interaction.  
  
Screenshots:  
  
http://postimg.org/image/kp9xj4ivr/  
http://postimg.org/image/pqhbkhqc7/  
http://postimg.org/image/7c6sgie1j/  
  
0x04 Fix  
  
Vulnerabilities was fixed in LiveZilla 5.1.2.0 version.  
  
0x05 Timeline  
  
21.11.2013 - Vendor notified  
01.12.2013 - Ping  
02.12.2013 - Vendor responded with information about planing fix   
06.12.2013 - Fixed version released  
10.12.2013 - Public Disclosure  
`