<<< Date Index >>>     <<< Thread Index >>>

Cross-site scripting vulnerability in Crafy Syntax Live Help 2.7.3 and below



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem:

Users are able to insert pieces of html both in
 their name when they request livehelp and in chat sessions.
For example. If I where to input the following  javascript inside a  
"<"script">" tag and use it as my name.
 
window.location("http://www.cgisecurity.com/articles/xss-faq.shtml";);

This would cause all online operators to goto that
 URL. This on its own may not seem to be that big of a deal to you. The
 following example is a little more malicious. If the following snippet of
 code is put between script tags and then pasted into an chat session
 with an operator it will cause CSLH to remove the first operator.
 
window.location("http://livehelp.someisp.com/livehelp/operators.php?remove=1";)

Solution:

Upgrade to CSLH 2.7.4.

HNK Technology Solutions would like to thank the developer(s) of CSLH for 
their quick response and fix for the problem.

John C. Hennessy
President/CTO
HNK Technology Solutions, Inc.
http://www.hnkts.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAv2VXT9ZtXavj78YRAiB9AJ9whkTWLcDsZW4BvAAherb+n8e8YQCgoIyB
+d78L6Bl/UoblPFmfOTXhXQ=
=oxIS
-----END PGP SIGNATURE-----