Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Aug 24th 2021


✍️ Description

here is a Stored XSS on the user profile image uploader via svg file

🕵️‍♂️ Proof of Concept

Step to reproduce:

  1. Go to account profile
  2. Click the choose file option to update profile image
  3. Upload the svg file containing malicious code: or you can download it from : http://brutelogic.com.br/poc.svg now open the image and see the xss pops up.

poc image : https://ibb.co/njCJ4gD

i used the demo pp you hosted and also verified by hosting it in locally, for poc purpose am giving your demo app profiles link : https://demo.livehelperchat.com/var/userphoto/2021y/08/24/1/7c0dd946d97921107d75acdcbfec6bad.svg

💥 Impact

Stored xss

We have contacted a member of the livehelperchat team and are waiting to hear back a year ago
Remigijus
a year ago

Maintainer


And how exactly this can be exploited?

D3lT4
a year ago

Researcher


An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

D3lT4
a year ago

Researcher


these are some demo reports : https://hackerone.com/reports/179164 https://hackerone.com/reports/894876

Remigijus
a year ago

Maintainer


And I'm talking about real world situation. As now you had access to back office because it's demo in normal circumstances you won't have it, so how you are going to exploit that, as visitors also can't upload these type of files.

D3lT4
a year ago

Researcher


consider if any users account is compromised and the attacker can use it as a target app and can use it to host such file and sent along the world wide... i hope if your considering like that, then there is no point of reporting issues to this repo since it is an backend and no admin will hack himself ...!!

Remigijus
a year ago

Maintainer


In any case I have approved the issue as I can do cleanups in any case using third party libraries like https://github.com/darylldoyle/svg-sanitizer :)

Remigijus Kiminas validated this vulnerability a year ago
D3lT4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
D3lT4
a year ago

Researcher


also the exploit may differ from one's imagination ... as you know....

Remigijus
a year ago

Maintainer


And yes that's what i wanted to tell. It's more like hacking itself :D

Remigijus Kiminas marked this as fixed with commit 0ce1dd a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation