Lucene search

K

LiveZilla 5.1.2.0 Insecure Password Storage

🗓️ 16 Dec 2013 00:00:00Reported by Jakub ZoczekType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

LiveZilla 5.1.2.0 insecure password storage, XSS attack vulnerability, fixed in version 5.1.2.

Show more
Related
Code
ReporterTitlePublishedViews
Family
Prion
Cross site scripting
19 May 201414:55
prion
Prion
Cross site scripting
19 May 201414:55
prion
securityvulns
LiveZilla 5.1.2.0 Insecure password storage
9 Jan 201400:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
9 Jan 201400:00
securityvulns
OpenVAS
LiveZilla Password Disclosure Vulnerability
19 Feb 201400:00
openvas
NVD
CVE-2013-7033
19 May 201414:55
nvd
NVD
CVE-2013-7385
19 May 201414:55
nvd
CVE
CVE-2013-7033
19 May 201414:55
cve
CVE
CVE-2013-7385
19 May 201414:55
cve
Cvelist
CVE-2013-7033
19 May 201414:00
cvelist
Rows per page
`Author: Jakub Zoczek [[email protected]]  
CVE Reference: CVE-2013-7033  
Product: LiveZilla   
Vendor: LiveZilla GmbH [http://livezilla.net]  
Affected version: 5.1.2.0  
Severity: Medium  
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)  
Status: Partly fixed  
  
0x01 Background  
  
LiveZilla, the widely-used and trusted Live Help and Live Support System.  
  
0x02 Description  
  
LiveZilla in version 5.1.2.0 is prone to insecure password storage. Attacker using for example XSS attack is able to get currently logged operator's username and password string (plaintext).  
  
0x03 Proof of Concept  
  
alert('User: ' + loginName + ' password: ' + loginPassword);  
  
http://postimg.org/image/vvw7e2zoz/  
  
0x04 Fix  
  
Vulnerability was partly fixed in LiveZilla 5.1.2.1 version. Now passwords are stored as md5 hash, but it's still accesable from javascript.   
  
0x05 Timeline  
  
08.12.2013 - Vendor notified  
09.12.2013 - Vendor responded with informations about planned release   
10.12.2013 - Version 5.1.2.1 released  
15.12.2013 - Public Disclosure  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo