Jump to content


Installation / Security

security installation

3 replies to this topic

#1 _pin_

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 03 September 2019 - 12:26 PM

Hello,

We are currently trying to implement a chat and ticket system.

LiveZilla would probably be a good solution.

The installation went smoothly and everything seems to work.

The problem is, the installation path is known and accessible to everyone.

The script is integrated into the web page and contains the path to the installation folder. (e.g., https://domain.tld/livezilla/)

When open the link, a web page with sensitive data will appear (picture).

The information about the PHP version and the operating system are not intended for public too.

But I mean the chat button code including script-id.

This code can be integrated into third party websites and thereby discredit the system.

I have already changed several settings and also generated the new code.

But the first code remains published and functional.

You can find many of this installations in the internet. It looks like this affect the version 8 of LiveZilla.
GOOGLE SEARCH

Maybe someone knows - what did I do wrong?

Thank you!

Attached Thumbnails

  • Attached Image: s7wZ7Rq.png


#2 Patrick Keil

    Administrator

  • Administrators
  • 3854 posts
  • LocationSingen, Germany

Posted 03 September 2019 - 01:12 PM

Hi,

Please check this article:

https://chat.livezil.../en-serverpage/

Cheers

#3 _pin_

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 03 September 2019 - 01:48 PM

Thank you!
I can delete the index.php file.
The website is not there, good.

But the basic script-id is the same for all livezilla installations.
It is "lzdefsc".

You can find the installation-URL in the website-code and place it to another website with this code.

I tryed with different websites under different url and installed on different VMs.
My script works well on any website, independent from the setting "Server URL".
The idea was to use this setting for prohibiting of using the script on another websites.
But it has no effect even when deselected "Detect server URL during runtime".

Edited by _pin_, 03 September 2019 - 02:08 PM.


#4 Patrick Keil

    Administrator

  • Administrators
  • 3854 posts
  • LocationSingen, Germany

Posted 04 September 2019 - 01:45 PM

Unfortunately, you can't really prohibit that.

Using your script on other domains will always be possible.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users