CVE CyberSecurity Database News

CVE-2024-27516 - Server-Side Template Injection Vulnerability in LiveHelperChat Before v4.34 Allows Remote Code Execution

Poster -

On February 2024, a new critical vulnerability—CVE-2024-27516—was discovered in LiveHelperChat, an open-source live support chat system. The issue, present in versions before 4.34, enables unauthenticated attackers to run arbitrary server-side code and read sensitive data. This is made possible by a Server-Side Template Injection (SSTI) flaw found in the search parameter of the /lhc_web/modules/lhfaq/faqweight.php endpoint.

What Is SSTI?

Server-Side Template Injection (SSTI) lets an attacker inject malicious expressions into a template engine used to render web pages. Once injected, these expressions are processed on the server, and can lead to information disclosure, command execution, or even total server takeover if not properly sanitized.

The vulnerability is found in

/lhc_web/modules/lhfaq/faqweight.php?search=<payload>

The search parameter is improperly handled, allowing untrusted user input passed directly into the template engine.

Here’s a simplified version of the vulnerable PHP code

// Sample vulnerable code: faqweight.php
$search = $_GET['search'] ?? '';
$template = new Template();
$template->set('search', $search);
// Vulnerable: 'search' content ends up in the template rendering!
echo $template->fetch('lhfaq/faqweight.tpl.php');

If $search is not properly escaped or sanitized, this leads the template engine to process attacker-controlled input.

Proof of Concept (PoC) Exploit

Below is a simple example of exploiting this vulnerability to execute the phpinfo() function and display detailed PHP configuration:

Exploit Request

GET /lhc_web/modules/lhfaq/faqweight.php?search={{phpinfo()}} HTTP/1.1
Host: target.com

Result

If vulnerable, the page will return output of the phpinfo() function, showing information about PHP version, loaded modules, paths, and more. This is just the beginning—attackers can chain payloads for reading files or even running arbitrary system commands, depending on the template engine used.

Remote Code Execution (RCE): Attackers can run arbitrary system commands on the server.

- Sensitive Information Exposure: Includes database credentials, configuration files, user data, session tokens, and more.

How To Fix

Upgrade Immediately to LiveHelperChat 4.34 or newer.

Alternative Workarounds (temporary)

- Block access to /lhc_web/modules/lhfaq/faqweight.php in your web server.

References & Further Reading

- Original CVE Details: CVE-2024-27516 on NVD
- GitHub Issue & LiveHelperChat Fix
- OWASP - Template Injection

Conclusion

CVE-2024-27516 is a critical vulnerability that requires immediate attention. If you run LiveHelperChat before v4.34, upgrade now! SSTI flaws like this are easy to exploit, even for low-skilled attackers, and place your server and your users’ data at risk. Always validate and sanitize user input before passing it to any template engine, and keep your software up to date.

Have questions or need help with remediation? Drop a comment below or visit the official documentation.

Timeline

Published on: 02/29/2024 01:44:20 UTC
Last modified on: 07/03/2024 01:50:41 UTC