CVE-2024-27516
📋 TL;DR
This CVE describes a Server-Side Template Injection (SSTI) vulnerability in Live Helper Chat that allows remote attackers to execute arbitrary code and access sensitive information via the search parameter. Attackers can achieve remote code execution with high privileges. All users running affected versions of Live Helper Chat are vulnerable.
💻 Affected Systems
- Live Helper Chat
📦 What is this software?
Live Helper Chat by Livehelperchat
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the server, data exfiltration, and lateral movement to other systems.
Likely Case
Remote code execution leading to data theft, installation of backdoors, or use of the server for further attacks.
If Mitigated
Attack blocked at perimeter with no successful exploitation; limited to attempted log entries.
🎯 Exploit Status
The vulnerability is in a publicly accessible endpoint with no authentication required; exploit code is available in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.34v and later
Vendor Advisory: https://github.com/LiveHelperChat/livehelperchat/commit/a61d231526a36d4a7d8cc957914799ee1f9db0ab
Restart Required: No
Instructions:
1. Download latest version from official repository. 2. Backup current installation. 3. Replace affected files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allTemporarily block access to the vulnerable PHP file via web server configuration
# For Apache: add to .htaccess
<Files "faqweight.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /lhc_web/modules/lhfaq/faqweight.php {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict WAF rules to block SSTI payloads in search parameters
- Restrict network access to Live Helper Chat interface to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check if file exists at lhc_web/modules/lhfaq/faqweight.php and version is below 4.34vCheck Version:
grep -r "version" lhc_web/design/defaulttheme/version.txt 2>/dev/null || find . -name "*.php" -exec grep -l "LHC_VERSION" {} \; | head -1Verify Fix Applied:
Verify version is 4.34v or higher and check that the search parameter validation has been implemented in faqweight.php📡 Detection & Monitoring
Log Indicators:
- Unusual search parameters containing template syntax like {{, }}, ${{, #, *{
- Multiple requests to faqweight.php with encoded payloads
- POST/GET requests to faqweight.php with suspicious search terms
Network Indicators:
- HTTP requests to /lhc_web/modules/lhfaq/faqweight.php with template injection patterns
- Outbound connections from Live Helper Chat server to unknown destinations
SIEM Query:
source="web_logs" AND (uri="/lhc_web/modules/lhfaq/faqweight.php" AND (query="*{{*" OR query="*}}*" OR query="*${{*"))🔗 References
- https://github.com/LiveHelperChat/livehelperchat/commit/a61d231526a36d4a7d8cc957914799ee1f9db0ab
- https://github.com/LiveHelperChat/livehelperchat/issues/2054
- https://github.com/LiveHelperChat/livehelperchat/commit/a61d231526a36d4a7d8cc957914799ee1f9db0ab
- https://github.com/LiveHelperChat/livehelperchat/issues/2054
