Host Header injection in password Reset in livehelperchat/livehelperchat

Valid

Reported on

Mar 11th 2022

Description

The password reset uses $_SERVER['HTTP_HOST'] to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover

Impact

Account Takeover

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago
Remigijus Kiminas validated this vulnerability a year ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
noobexploiterhuntrdev
a year ago

Researcher

Awesome, i did reproduced it in mine, here are some poc's just in case you need it

We have sent a fix follow up to the livehelperchat team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the livehelperchat team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the livehelperchat team. This report is now considered stale. a year ago
Remigijus
a year ago

Maintainer

This was fixed. But seems some bug in hunter as I can't confirm a fix :D https://doc.livehelperchat.com/docs/security https://github.com/LiveHelperChat/livehelperchat/commit/ce96791cb4c7420266b668fc234c211914259ba7

Remigijus
a year ago

Maintainer

@admin I'm a maintainer and I can't close the issue why?

Jamie Slome
a year ago

Admin

@remdex - we have slightly adjusted our UI. You should be able to confirm the fix using the drop-down below.

You should see mark as fixed? Let me know if you are still having issues 👍

Remigijus Kiminas marked this as fixed in 3.97 with commit ce9679 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
forgotpassword.php#L62 has been validated
to join this conversation