############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ ############################################################# # # CSNC ID: CSNC-2017-004 # Product: Live Helper Chat [1] # Vendor: Live Helper Chat # Subject: Cross-Site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Sylvain Heiniger (sylvain.heiniger@compass-security.com) # Date: April 24, 2017 # ############################################################# Introduction: ---------------- Live Helper Chat is a live chat support for websites. It provides a simple solution for companies to get in contact with visitors of their websites. [1] Compass Security discovered a web application security flaw in the Live Helper Chat application which allows an attacker to execute JavaScript code in the browser of a user. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. The attack will be in some cases automatically run in the backend operator's session. Otherwise, one can send the victim a link to the website with the malicious payload. Affected Versions: ----------------------- The following Live Helper Chat versions are vulnerable: - 2.06v - 2.58v [2] Patches: ----------- Live Helper Chat released a patch as part of release 2.60v [3, 4]. Technical Description: ----------------------------- Live Helper Chat detects the visitor's IP address. To this end, it reads the "X-Forwarded-For" HTTP header. Any visitor can inject a Connection: close Content-Length: 188 Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554 =============== Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with: =============== [{"id":"1","ip":"