Host Header injection in password Reset in livehelperchat/livehelperchat

Valid

Reported on

Mar 11th 2022


Description

The password reset uses $_SERVER['HTTP_HOST'] to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover

Impact

Account Takeover

We are processing your report and will contact the livehelperchat team within 24 hours. 3 months ago
Remigijus Kiminas validated this vulnerability 3 months ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
noobexploiterhuntrdev
3 months ago

Researcher


Awesome, i did reproduced it in mine, here are some poc's just in case you need it

We have sent a fix follow up to the livehelperchat team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the livehelperchat team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the livehelperchat team. This report is now considered stale. 2 months ago
Remigijus
2 months ago

Maintainer


This was fixed. But seems some bug in hunter as I can't confirm a fix :D https://doc.livehelperchat.com/docs/security https://github.com/LiveHelperChat/livehelperchat/commit/ce96791cb4c7420266b668fc234c211914259ba7

Remigijus
2 months ago

Maintainer


@admin I'm a maintainer and I can't close the issue why?

Jamie Slome
2 months ago

Admin


@remdex - we have slightly adjusted our UI. You should be able to confirm the fix using the drop-down below.

You should see mark as fixed? Let me know if you are still having issues 👍

Remigijus Kiminas confirmed that a fix has been merged on ce9679 2 months ago
The fix bounty has been dropped
forgotpassword.php#L62 has been validated
to join this conversation