czwartek, 19 grudnia 2013

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:


causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.

4) Stored XSS - file downloads

5) Stored XSS - Clickpath analysis

6) Reflected XSS - Form Data analysis

7) *BONUS* out of scope (so unrewarded) reflected XSS in'XSS')

Effect + source code:

And that's all for today. :)

sobota, 14 grudnia 2013

[EN] LiveZilla multiple vulnerabilities

I was looking a bit into LiveZilla source code and found few vulnerabilities. Most of them fixed in released few days ago. Details:

CVE-2013-7034 - LiveZilla PHP Object Injection
CVE-2013-7033 - LiveZilla Insecure password storage
CVE-2013-7032 - LiveZilla Multiple Stored XSS in webbased operator client
CVE-2013-7003 - LiveZilla Stored XSS in operator clients
CVE-2013-7002 - LiveZilla Reflected XSS in translations