EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability) in livehelperchat/livehelperchat

Valid

Reported on

Mar 31st 2022


Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)

Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.

Proof of Concept:- 1.Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0012.jpg

2.Download the image. (https://demo.livehelperchat.com/) Upload the picture in this website. and click on save.

3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

4.Then open:- http://exif.regex.info/exif.cgi

5.Paste the URL (https://demo.livehelperchat.com/file/downloadfile/1/c929ce732798665ef82bcdba8dba1486) of the image path now you can see the EXIF data.

Impact:- This vulnerability impacts all users on livehelperchat. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on livehelperchat.

Impact

Impact:- This vulnerability impacts all users on livehelperchat. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on livehelperchat.

We are processing your report and will contact the livehelperchat team within 24 hours. 2 months ago
Remigijus Kiminas validated this vulnerability 2 months ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus
2 months ago

Maintainer


Fixed. Have in mind that for visitor files, that option has to be enabled in back office just. I fixed other parts like widget themes where image files can be uploaded.

Remigijus Kiminas confirmed that a fix has been merged on 56d8e5 2 months ago
The fix bounty has been dropped
to join this conversation