CVE-2013-6223: Local Password Disclosure in LiveZilla

CVE-2013-6223: Local Password Disclosure in LiveZilla

Date: 2013-12-05 08:37:45
CVE-2013-6223: Security Advisory – Curesec Research Team

1. Introduction

Advisory ID: Cure-2013-1008
Advisory URL:
Affected Product: LiveZilla version
Affected Systems: Linux/Windows
Fixed in:
Fixed Version Link:
Vendor Contact:
Vulnerability Type: Local Password Disclosure
Remote Exploitable: No
Reported to vendor: 18.10.2013
Disclosed to public: 28.11.2013
Release mode: Coordinated release
CVE: CVE-2013-6223

2. Vulnerability Description

An 1click file that allows an admin to log into LiveZilla using a mouse click is saved in a xml representation. This xml file includes the admin username and password in plaintext. Base64 is not an encryption mechanism. If an attacker is able to get access to a 1click file he can easily open the file and discover username and password for an administrator.



Administrators passwords should not be stored in files as plaintext. The 1click design should be changed so that as an example the 1click file asks the administrator for a password before opening. This way it can be assured that the administrator password is not disclosed to attackers.

3. Proof of Concept Codes:

Just open the xml based onclick file.

4. Solution:

Upgrade to Version

5. Report Timeline

18.10.2013 Informed Vendor about Issue
12.11.2013 Vendor informed Curesec about patched version
28.11.2013 Disclosed to public.

Download article:

text-file-icon Curesec-2013-1008.pdf