Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ LiveZilla Cross Site Scripting Vulnerability CVE-2010-4276 INTRODUCTION Accordingly to LiveZilla GmbH, "the Next Generation Live Help and Live Support System connects you to your website visitors. Use LiveZilla to provide Live Chats and monitor your website visitors in real-time. Convert visitors to customers - with LiveZilla! " This problem was confirmed in the following versions of the LiveZilla, other versions maybe also affected. LiveZilla released an update to fix the vulnerability. LiveZilla v3.2.0.2 CVSS Scoring System The CVSS score is: 6.4 Base Score: 6.7 Temporal Score: 6.4 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:U/RC:C DETAILS LiveZilla is affected by Reflected Cross Site Scripting in server.php, in the .module. track which calls a vulnerable javascript function. This request: http:///livezilla/server.php?request=track&livezilla= Will pass thru the following files: htdocs\livezilla\server.php htdocs\livezilla\track.php htdocs\livezilla\templates\jscript\jstrack.tpl And finally land in this excerpt of code: --- 207 208 function lz_tracking_set_sessid(_userId, _browId) 209 { 210 if(lz_session.UserId != _userId) 211 { 212 lz_session.UserId = _userId; 213 lz_session.BrowserId = _browId; 214 lz_session.Save(); 215 } 216 } 217 --- The javascript file .jstrack.tpl. is called by track.php and contains a function named .lz_tracking_set_sessid().. This function do not sanitize data and thus an attacker can inject a malicious javascript code allowing Reflected Cross Site Script attacks against users. CREDITS This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company (http://www.conviso.com.br) and was researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).