{"id":16631,"date":"2021-07-07T16:08:56","date_gmt":"2021-07-07T14:08:56","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0057\/"},"modified":"2021-07-19T14:12:37","modified_gmt":"2021-07-19T12:12:37","slug":"usd-2019-0057","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0057\/","title":{"rendered":"usd-2019-0057"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0057 | Userlike Chat<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0057<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2019-19213<\/span><br \/><strong>Affected Product<\/strong><span>: Userlike Chat<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Cross-Site Scripting<\/span><br \/><strong>Security Risk<\/strong><span>: Critical<\/span><br \/><strong>Vendor URL<\/strong><span>: <a href=\"https:\/\/userlike.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/userlike.com<\/a><\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>Userlike does not handle data received via websockets requests correctly, thus a malicious client may inject JavaScript that is run in the browser context of a chat operator.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Introduction<\/h3>\n<p>Companies that want to use userlike.com need to register first. In order to install the chat on their website, there is a JavaScript Widget that can be downloaded and embedded. Once the chat is setup correctly, users may start a chat session with chat operators. Therefore operators need to login at <a href=\"https:\/\/userlike.com\/de\/\" target=\"_blank\" rel=\"noopener\">https:\/\/userlike.com\/de\/<\/a> and open the chat panel.<\/p>\n<p>In this chat panel, chat operators may create screenshots of the customer\u2019s browser using the <em>\u201e$screenshot\u201c<\/em> command. In the following the screenshot is then uploaded from the client (customer) to the userlike server. The server responds with the URL where the uploaded image may be found. This URL is sent to the chat operator using a websocket and finally embedded in an &lt;img&gt;-tag. Because of insufficient filtering, the URL may contain special characters enabling an attacker to escape the source of this &lt;img&gt;-tag and insert her own markup and XSS payload.<\/p>\n<p>Even though the interaction of the chat operator is required to perform this attack, this vulnerability is considered critical. Performing a social engineering attack an attacker may easily convince a chat operator to take a screenshot of the attacker\u2019s browser.<\/p>\n<p>&nbsp;<\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>1. [Operator] type <\/span><em>\u201e$screenshot\u201c<\/em><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/1-3-1024x588-1.png\" title_text=\"1-3-1024x588\" _builder_version=\"4.9.4\" _module_preset=\"default\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<p>2. [Customer] start intercepting traffic (including websocket requests)<\/p>\n<p>3. [Operator] send message<\/p>\n<p>4. [Customer] forward websocket requests up to the message containing the screenshot URL:<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]433228[false,\"https:\/\/www.userlike.com\/api\/proxy\/screenshot\/123456\"]<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<p><span>4.1. [Customer] extend the URL such that it contains the XSS payload and then forwa<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]433228[false,&amp;quot;https:\/\/www.userlike.com\/api\/proxy\/screenshot\/123456?usd=\\&amp;quot;&amp;gt;&amp;lt;img src=x onerror=alert(1)&amp;gt;&amp;quot;]<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n<p><span>5. The XSS Payload is run in the operator\u2019s browser:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/2-2.png\" title_text=\"2-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Treat websocket-requests that are sent by the client as regular user controlled data. Make sure to encode or filter user controlled content before embedding and replaying it.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-09-18 This vulnerability was found by Konstantin Samuel during a pentest<\/li>\n<li>2019-11-14 Vendor schedules update for this date<\/li>\n<li>2019-11-25 Vendor fixed the issue<\/li>\n<li><span>2020-04-29\u00a0<\/span><span>Security advisory released<\/span><\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities were found by Konstantin Samuel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0057 | Userlike Chat Advisory ID: usd-2019-0057CVE Number: CVE-2019-19213Affected Product: Userlike ChatVulnerability Type: Cross-Site ScriptingSecurity Risk: CriticalVendor URL: https:\/\/userlike.comVendor Status: Fixed Description Userlike does not handle data received via websockets requests correctly, thus a malicious client may inject JavaScript that is run in the browser context of a chat operator. Introduction Companies that want to [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16631","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16631"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16631\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}