LiveZilla Multiple Stored XSS in webbased operator client

Type securityvulns
Reporter Securityvulns
Modified 2014-01-09T00:00:00


Author: Jakub Zoczek [] CVE Reference: CVE-2013-7032 Product: LiveZilla Vendor: LiveZilla GmbH [] Affected version: Severity: Medium CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Status: Fixed

0x01 Background

LiveZilla, the widely-used and trusted Live Help and Live Support System.

0x02 Description

LiveZilla in version is prone to multiple stored cross-site scripting vulnerabilities in Webbased Operator Client. Attacker is able to execute arbitrary javascript code in context of operator browser by providing xss payloads into unfiltered fields - details below.

0x03 Proof of Concept

  • File Names - this issue is really similar to CVE-2013-7003. LiveZilla fixed it by escaping displayed file name when customer want send it to operator. Unfortunately it is unescaped after succesful upload.
  • Also - after upload LiveZilla creates 'resources' with those files. Filenames are escaped properly there, but names of customers don't. We can use simple, widely-known XSS payloads to exploit this vulnerability.

0x04 Fix

Vulnerability was fixed in LiveZilla version.

0x05 Timeline

08.12.2013 - Vendor notified 09.12.2013 - Vendor responded with informations about planned release 10.12.2013 - Version released 15.12.2013 - Public Disclosure