{"id":15973,"date":"2019-08-01T17:40:02","date_gmt":"2019-08-02T01:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/01\/news-9717\/"},"modified":"2019-08-01T17:40:02","modified_gmt":"2019-08-02T01:40:02","slug":"news-9717","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/01\/news-9717\/","title":{"rendered":"LiveZilla Live Chat Technical Advisory"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Breaking Threat Research from FortiGuard Labs<\/i><\/p>\n<h2>Introduction<\/h2>\n<p>In June 2019, Fortinet&#8217;s FortiGuard Labs discovered and reported 7 vulnerabilities in Live Chat, the Next Generation Live Help and Live Support System from LiveZilla that connects organizations to their website visitors.<b> <\/b>LiveZilla is a software company trusted by Fortune 500 companies and top universities, and has over 15,000 users.<\/p>\n<p>The vulnerabilities were found in versions 8.0.1.0 and below. At the time of the writing of this advisory, these issues have been fixed and those fixes have been published by the vendor. FortiGuard Labs appreciates the vendor\u2019s quick response and timely fixes.<\/p>\n<p>The following is a summary of the discovered vulnerabilities:<\/p>\n<ol>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-082\">LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in server.php via the p_ext_rse parameter<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-083\" style=\"\">LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile\/index.php via the Accept-Language HTTP header<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-084\" style=\"\">LiveZilla Server before 8.0.1.1 is vulnerable to Denial of Service (memory consumption) in knowledgebase.php via a large integer value of the depth parameter<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-085\" style=\"\">LiveZilla Server before 8.0.1.2 is vulnerable to XSS in the chat.php Create Ticket Action<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-086\" style=\"\">LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d<\/a>.<\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-087\" style=\"\">LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php Subject<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-088\" style=\"\">LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function<\/a><\/li>\n<\/ol>\n<h2>Vulnerability Details<\/h2>\n<h3>1. FG-VD-19-082 LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in server.php via the p_ext_rse parameter<\/h3>\n<p>When auditing the source code file in livezillaserver.php, line 76 indicates that the server.php will import intern.php file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Code snippet of server.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Code snippet of server.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When we look into livezillaintern.php, we see that it calls Listen() method of class OperatorRequest at Line 29. This class is derived from livezilla_libobjects.internal.inc.php.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_887623030.img.png\" alt=\"Code snippet of intern.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Code snippet of intern.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As we can see in Figure 3, it then calls Build() method in same class at line 302:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_729177051.img.png\" alt=\"Code snippet of _libobjects.internal.inc.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Code snippet of _libobjects.internal.inc.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Digging into Build(), line 405, we can see that it calls buildResources():<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_866407437.img.png\" alt=\"Code of Build method in class OperatorRequest\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Code of Build method in class OperatorRequest<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_240644584.img.png\" alt=\"Code of buildResources in  _libfunctions.internal.build.inc.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Code of buildResources in _libfunctions.internal.build.inc.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see at line 59 in Figure 5, it executes the following SQL query:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_1110942253.img.png\" alt=\"SQL query lacks of quote sanitization\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Listing 1: SQL query lacks of quote sanitization<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In Listing 1, the parameter is sanitized using the DBManager::RealEscape filter function to avoid SQL injection. But unfortunately, there is a lack of quote sanitization here, which makes the filter function become ineffective. Hence, we just need to input the value without any quotes into the SQL query in order to exploit the vulnerability.<\/p>\n<p>$_POST[POST_INTERN_XMLCLIP_RESOURCES_END_TIME]) is defined in livezilla_definitionsdefinitions.protocol.inc.php in line 51:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_695406369.img.png\" alt=\"Code snippet of _definitionsdefinitions.protocol.inc.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Code snippet of _definitionsdefinitions.protocol.inc.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>So the final payload of the exploit looks like:<\/p>\n<ul>\n<li>True case:<\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\"><b>p_ext_rse=(select*from(select(if((substr(123,1,1) like 1),2,sleep(5))))a)<\/b><\/p>\n<ul>\n<li>False case<\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\"><b>p_ext_rse=(select*from(select(if((substr(123,1,1) like 2),2,sleep(5))))a)<\/b><\/p>\n<p>Figure 7 shows the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_55640043.img.png\" alt=\"Patch from vendor for FG-VD-19-082\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Patch from vendor for FG-VD-19-082<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>2. FG-VD-19-083 LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile\/index.php via the Accept-Language HTTP header<\/h3>\n<p>When analyzing the source code file in livezillamobileindex.php, at line 84, we realize that the server echoes $language without proper sanitization, which can result in a Cross-Site Scripting (XSS) vulnerability.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_891635427.img.png\" alt=\"Code snippet of mobileindex.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Code snippet of mobileindex.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The value of $language is taken from $_SERVER[&#8216;HTTP_ACCEPT_LANGUAGE&#8217;], which is the Accept-Language field in HTTP request header.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_1426351257.img.png\" alt=\"Value of $language\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Value of $language<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>By using a Man-in-The-Middle (MiTM) attack method, really, or any extension to modify the header, the attacker can run javascript code within the user\u2019s browser.<\/p>\n<p>Figure 10 shows the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_852510549.img.png\" alt=\"Patch from vendor for FG-VD-19-083\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Patch from vendor for FG-VD-19-083<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>3. FG-VD-19-084 LiveZilla Server before 8.0.1.1 is vulnerable to Denial of Service (memory consumption) in knowledgebase.php via a large integer value of the depth parameter<\/h3>\n<p>This Denial of Service was spotted in livezillaknowledgebase.php, at lines 39 to 51:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_122001126.img.png\" alt=\"Code snippet of knowledgebase.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Code snippet of knowledgebase.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The conditional structure at <b>line<\/b> <b>39 <\/b>determines if the Search Engine Optimization (SEO)-friendly URL option is turned on. If it is, it looks for GET parameter depth and then performs a loop based action on\u00a0its\u00a0value, which can be controlled by attackers. In other words, if we provide input, say \u201c?depth=2200000\u201d, it will loop 2200000 times. As we can see in Figure 11, line 46-47, the loop instructions will concatenate the string \u201c..\/\u201d into the $path variable that could result in memory overflow.<\/p>\n<p>Figure 12 shows the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_410060194.img.png\" alt=\"Patch from vendor for FG-VD-19-084\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Patch from vendor for FG-VD-19-084<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>4. FG-VD-19-085 LiveZilla Server before 8.0.1.2 is vulnerable to XSS in the chat.php Create Ticket Action<\/h3>\n<p>This is another XSS vulnerability that can be triggered from Guest Live Chat window. The attacker can input XSS payload in the Live Chat (Figure 13). <\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_2044330619.img.png\" alt=\"Chat Payload from Guest\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Chat Payload from Guest<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>From the admin panel, if the admin creates a ticket on the chat window, that chat content is rendered into a new chat ticket pop-up without sanitization, which could result in arbitrary javascript execution within the user\u2019s browser.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_360382078.img.png\" alt=\"Creating Ticket action from Admin\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: Creating Ticket action from Admin<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Upon verifying the patches from the vendor, we realized that the patch in version 8.0.1.1 was incomplete. We informed the developer and provided them with the additional payload that can bypass the patch in version 8.0.1.1, and they provided a complete fix for this issue. Figure 15 shows the patch in version 8.0.1.2 from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_241239276.img.png\" alt=\"Code snippet of mobilejslzmclassesChatTicketClass.js\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: Code snippet of mobilejslzmclassesChatTicketClass.js<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>5. FG-VD-19-086 LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d<\/h3>\n<p>Another SQL injection vulnerability can be found in livezilla_libfunctions.internal.build.inc.php, at lines 596 to 605.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_98559688.img.png\" alt=\"Code snippet of _libfunctions.internal.build.inc.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: Code snippet of _libfunctions.internal.build.inc.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The server determines if the parameter p_dt_s_d is sent via a POST HTTP request, and then inputs its value directly to the query without sanitizing the value. This leads to a classic SQL injection.<\/p>\n<p>Figure 17 and 18 show the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_1794467414.img.png\" alt=\"Patch from vendor for FG-VD-19-086 \u2013 Hardcore value for sort params\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17: Patch from vendor for FG-VD-19-086 \u2013 Hardcore value for sort params<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_669591476.img.png\" alt=\"Patch from vendor for FG-VD-19-086\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18: Patch from vendor for FG-VD-19-086<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>6. FG-VD-19-087 LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php<\/h3>\n<p>Another XSS was spotted in livezillaticket.php, at line 109. For this vulnerability, the server replaced the $subject holder with our crafted contents without proper sanitization.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_606518117.img.png\" alt=\"Code snippet of ticket.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19: Code snippet of ticket.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_766200809.img.png\" alt=\"Cross-site Scripting Vulnerability in ticket.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 20: Cross-site Scripting Vulnerability in ticket.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 21 shows the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_295664609.img.png\" alt=\"Patch from vendor for FG-VD-19-087\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 21: Patch from vendor for FG-VD-19-087<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>7. FG-VD-19-088 LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function<\/h3>\n<p>We also spotted the Comma Separated Value (CSV) file injection in the source code file livezilla_libfunctions.internal.man.inc.php. From lines 736 to 744 in Figure 22 we can see that the server attempts to export data in CSV format without sanitization.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_1606881112.img.png\" alt=\"Code snippet of _libfunctions.internal.man.inc.php\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 22: Code snippet of _libfunctions.internal.man.inc.php<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 23 shows the patch from the vendor:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image_1468648067.img.png\" alt=\"Patch from vendor for FG-VD-19-088\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 23: Patch from vendor for FG-VD-19-088<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Disclosure Timeline<\/h2>\n<ul>\n<li>June 22, 2019: Fortinet reported the vulnerabilities FG-VD-19-082 and FG-VD-19-084 to LiveZilla<\/li>\n<li>June 24, 2019: Fortinet reported the vulnerability FG-VD-19-086<\/li>\n<li>June 25, 2019: Fortinet reported the vulnerabilities FG-VD-19-083, FG-VD-19-085, FG-VD-19-087, and FG-VD-19-088 to LiveZilla<\/li>\n<li>June 26, 2019: LiveZilla confirmed the vulnerabilities, released patches for those vulnerabilities<\/li>\n<li>June 27, 2019: Fortinet confirmed the fix for those vulnerabilities, except for FG-VD-19-085<\/li>\n<li>July 01, 2019: LiveZilla confirmed the fix for FG-VD-19-085 is not correct, waiting for version 8.0.1.2<\/li>\n<li>July 23, 2019: LiveZilla released 8.0.1.2 patch the vulnerability, Fortinet confirmed the fix for FG-VD-19-085<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>In conclusion, the root cause for all of these vulnerabilities is the lack of trivial input sanitization. As a result, FortiGuard Labs found multiple vulnerabilities in the LiveZilla Live Chat software, ranging from medium to critical severity.<\/p>\n<p>It is crucial for Live Chat users to apply the patches provided by LiveZilla immediately, as some of the vulnerabilities \u2013 for instance, those that enable the SQL Injection \u2013 would allow attackers to extract confidential information from the database upon successful exploitation.<\/p>\n<p><b>Note:<\/b> If you are interested in this kind of assessment for your software or application, FortiGuard Labs provides a tailor-made vulnerability assessment and penetration testing service that can help you improve the security of your products. Visit\u00a0<a href=\"https:\/\/fortiguard.com\/services\/pentesting\">https:\/\/fortiguard.com\/services\/pentesting<\/a> for more information.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2>Solution<\/h2>\n<p>FortiGuard Labs released the following IPS signatures, which cover all the vulnerabilities mentioned:<\/p>\n<p style=\"margin-left: 40.0px;\">LiveZilla.LiveZillaServer.buildResources.SQL.Injection<br \/> LiveZilla.LiveZillaServer.Language.XSS<br \/> LiveZilla.LiveZillaServer.knowledgebase.DoS<br \/> LiveZilla.LiveZillaServer.CreateTicket.XSS<br \/> LiveZilla.LiveZillaServer.demandTickets.SQL.Injection<br \/> LiveZilla.LiveZillaServer.TicketSubject.XSS<br \/> LiveZilla.LiveZillaServer.Export.CSV.Injection<\/p>\n<p>CVSS 3.0 metrics:<\/p>\n<p style=\"margin-left: 40.0px;\"><b>FG-VD-19-082:<\/b> Base Score 9.8, Critical severity<br \/> <b style=\"\">FG-VD-19-083:<\/b> Base Score 6.1, Medium severity<br \/> <b style=\"\">FG-VD-19-084:<\/b> Base Score 5.9, Medium severity<br \/> <b style=\"\">FG-VD-19-085:<\/b> Base Score 6.1, Medium severity<br \/> <b style=\"\">FG-VD-19-086:<\/b> Base Score 9.8, Critical severity<br \/> <b style=\"\">FG-VD-19-087:<\/b> Base Score 6.1, Medium severity<br \/> <b style=\"\">FG-VD-19-088:<\/b> Base Score 8.8, High severity<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/kWh4bHiYnfQ\/livezilla-live-chat-technical-advisory.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/livezilla-live-chat-technical-advisory\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>FortiGuard Labs recently discovered and reported 7 vulnerabilities in version 8.0.1.0 and below of LiveZilla&#8217;s Live Chat. Read more about these vulnerabilities, all of which have since been fixed by the vendor.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/kWh4bHiYnfQ&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15973","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15973"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15973\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15973"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}