Jump to content


[FG-VD-19-083,085,087] LiveZilla Server are vulnerable to Cross-Site Scripting in admin panel

xss bug security

12 replies to this topic

#1 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 25 June 2019 - 04:45 AM

Vulnerability Notification
June 25, 2019
Tracking Case #: FG-VD-19-083, FG-VD-19-085, FG-VD-19-087
Fortinet's FortiGuard Labs have discovered a security issue in your LiveZilla Server product. We estimate its risk to 3, on a scale of 1 (lowest) to 5 (highest), in terms of its impact. Please advise of the appropriate contact person in your company to handle this issue.
Fortinet's research remains ethical at all times, and we therefore strive to Responsible Disclosure. Fortinet vulnerability disclosure policy can be found at https://fortiguard.c...ble-disclosure

Please find a details report in attachment.

Attached Files



#2 Patrick Keil

    Administrator

  • Administrators
  • 3866 posts
  • LocationSingen, Germany

Posted 25 June 2019 - 08:47 AM

Hi,

Thanks for bringing this to our attention.

I can confirm this issue. A fix will be included in our todays update 8.0.1.1.

Thanks again.

#3 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 25 June 2019 - 02:08 PM


Thanks for fast response & fix timeline, update cve id

- XSS in mobile/index.php via the Accept-Language HTTP header: CVE-2019-12962

- XSS in the chat.php Create Ticket Action: CVE-2019-12963

- XSS in the ticket.php Subject: CVE-2019-12964


ư


#4 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 27 June 2019 - 08:21 AM

Hi Patrick, I notice that the bug XSS in Create Ticket Action is not fixed yet in version 8.0.1.1

#5 Patrick Keil

    Administrator

  • Administrators
  • 3866 posts
  • LocationSingen, Germany

Posted 27 June 2019 - 08:38 AM

Hi,

I checked this issue again but I don't see any XSS when following your instructions:

1.) Start chat with subject XSS payload
"><svg/onload=prompt(2)><"

2.) Use Create Ticket function on operator console

3.) No code execution in operator console (I have also checked tickets, chat archive, ticket.php)

What did I miss?

Thanks.

#6 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 27 June 2019 - 08:46 AM

Hi Patrick, step 2 can be done in attachments, if you still can't get the popup from XSS, I'll dig into source code to provide the root-cause for you

Attached Thumbnails

  • Attached Image: poc_xss.png
  • Attached Image: poc_2_xss.png


#7 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 27 June 2019 - 08:58 AM

I Found out that its also vulnerable when you click Edit subject of ticket, PoC in attachment

Attached Thumbnails

  • Attached Image: edit_subject.png


#8 Patrick Keil

    Administrator

  • Administrators
  • 3866 posts
  • LocationSingen, Germany

Posted 27 June 2019 - 12:15 PM

Hi,

Quote

I Found out that its also vulnerable when you click Edit subject of ticket, PoC in attachment

Confirmed and fixed for 8.0.1.2.

Quote

Hi Patrick, step 2 can be done in attachments, if you still can't get the popup from XSS, I'll dig into source code to provide the root-cause for you

No luck, we are still unable to reproduce it. We checked the source code (mobile/js/lzm/classes/ChatTicketClass.js) and the value is HTML escaped.

#9 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 01 July 2019 - 07:33 AM

Hi Patrick, can you try the payload below instead of the old svg tag in CreateTicket xss vuln

Quote

"><img src=x onerror=confirm(431)><"


#10 Patrick Keil

    Administrator

  • Administrators
  • 3866 posts
  • LocationSingen, Germany

Posted 01 July 2019 - 12:13 PM

Thanks, Confirmed and fixed for 8.0.1.2.

#11 zilla

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 06 July 2019 - 11:12 AM

View PostPatrick Keil, on 01 July 2019 - 12:13 PM, said:

Thanks, Confirmed and fixed for 8.0.1.2.

When the new version will be released? There is already 06.07.2019 and the latest available version is still - 8.0.1.1.

Can you put it up for a download please?

Thank you.

#12 Patrick Keil

    Administrator

  • Administrators
  • 3866 posts
  • LocationSingen, Germany

Posted 09 July 2019 - 07:06 AM

The roadmap can be found here:

http://roadmap.livezilla.net

Cheers

#13 tsug0d_

    Member

  • Members
  • PipPip
  • 17 posts

Posted 26 July 2019 - 04:55 AM

Thanks Patrick, we confirmed that all the bugs are fixed, we will release the advisory blog post next week.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users