Host Header injection in password Reset in livehelperchat/livehelperchat

Valid

Reported on

Mar 11th 2022

Description

The password reset uses $_SERVER['HTTP_HOST'] to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover

Impact

Account Takeover

We are processing your report and will contact the livehelperchat team within 24 hours. 2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
noobexploiterhuntrdev
2 years ago

Researcher

Awesome, i did reproduced it in mine, here are some poc's just in case you need it

We have sent a fix follow up to the livehelperchat team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the livehelperchat team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the livehelperchat team. This report is now considered stale. 2 years ago
Remigijus
2 years ago

Maintainer

This was fixed. But seems some bug in hunter as I can't confirm a fix :D https://doc.livehelperchat.com/docs/security https://github.com/LiveHelperChat/livehelperchat/commit/ce96791cb4c7420266b668fc234c211914259ba7

Remigijus
2 years ago

Maintainer

@admin I'm a maintainer and I can't close the issue why?

Jamie Slome
2 years ago

Admin

@remdex - we have slightly adjusted our UI. You should be able to confirm the fix using the drop-down below.

You should see mark as fixed? Let me know if you are still having issues 👍

Remigijus Kiminas marked this as fixed in 3.97 with commit ce9679 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
forgotpassword.php#L62 has been validated
to join this conversation