Cross-site scripting vulnerability in Crafy Syntax Live Help 2.7.3 and below
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The problem:
Users are able to insert pieces of html both in
their name when they request livehelp and in chat sessions.
For example. If I where to input the following javascript inside a
"<"script">" tag and use it as my name.
window.location("http://www.cgisecurity.com/articles/xss-faq.shtml");
This would cause all online operators to goto that
URL. This on its own may not seem to be that big of a deal to you. The
following example is a little more malicious. If the following snippet of
code is put between script tags and then pasted into an chat session
with an operator it will cause CSLH to remove the first operator.
window.location("http://livehelp.someisp.com/livehelp/operators.php?remove=1")
Solution:
Upgrade to CSLH 2.7.4.
HNK Technology Solutions would like to thank the developer(s) of CSLH for
their quick response and fix for the problem.
John C. Hennessy
President/CTO
HNK Technology Solutions, Inc.
http://www.hnkts.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAv2VXT9ZtXavj78YRAiB9AJ9whkTWLcDsZW4BvAAherb+n8e8YQCgoIyB
+d78L6Bl/UoblPFmfOTXhXQ=
=oxIS
-----END PGP SIGNATURE-----