Weak secrethash can be brute-forced in livehelperchat/livehelperchat
Description
Weak secrethash can be brute-forced in GitHub repository livehelperchat/livehelperchat prior to 3.96.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A weak secret hash in LiveHelperChat prior to v3.96 can be brute-forced, enabling attackers to spoof authenticated actions.
Vulnerability
LiveHelperChat versions prior to 3.96 use a weak secret hash for generating security tokens. During installation, the secret hash is generated as substr(md5(time() . ":" . mt_rand()),0,10) — only 10 characters of an MD5 output, seeded with the current Unix timestamp and a weak random number. This reduces the effective entropy and makes the hash predictable or brute-forceable [1][3][4]. The hash is used in authentication checks, such as for file upload tokens and other security-sensitive operations.
Exploitation
An attacker can exploit this by either predicting the secret hash if they know the approximate installation time or by brute-forcing the 10-character alphanumeric hash (62^10 ≈ 8.4×10^17 possibilities, but with weak seeding the effective search space is much smaller). No special network position or authentication is required beyond access to the installation's public endpoints that use the hash for validation [2][4]. The attacker can mount an online brute-force attack to guess the correct hash and then forge a valid token.
Impact
Successful brute-forcing of the secret hash allows an attacker to forge security tokens, potentially impersonating legitimate users or performing operations that require hash-based verification. This could lead to unauthorized file uploads, data manipulation, or other actions depending on how the hash is used in the application [2][4]. The impact is moderate, as the attacker does not gain direct administrative control but can bypass certain security checks.
Mitigation
The fix was introduced in LiveHelperChat version 3.96. The patch increases the secret hash length to 80 characters and changes its generation algorithm to use a cryptographically secure random value via erLhcoreClassChat::generateHash(80) [2][3]. Users should upgrade to version 3.96 or later. As a workaround, administrators can manually set a strong secret hash via the environment variable LHC_SECRET_HASH [3]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-1235
- Increase size of secret hash and chagne it's algorithm · LiveHelperChat/livehelperchat@6538d6d
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.96 | 3.96 |
Affected products
3- osv-coords2 versions
< 3.96.0+ 1 more
- (no CPE)range: < 3.96.0
- (no CPE)range: < 3.96
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
16538d6df3d8aIncrease size of secret hash and chagne it's algorithm
3 files changed · +3 −3
lhc_web/cli/lib/install.php+1 −1 modified@@ -84,7 +84,7 @@ function step2() { foreach ($database as $key => $value) { $cfgSite->setSetting( 'db', $key, $value); } - $cfgSite->setSetting( 'site', 'secrethash', substr(md5(time() . ":" . mt_rand()),0,10)); + $cfgSite->setSetting( 'site', 'secrethash', erLhcoreClassChat::generateHash(80)); return true; } else { return $Errors;
lhc_web/modules/lhcaptcha/captchastring.php+1 −1 modified@@ -8,7 +8,7 @@ header('Cache-Control: post-check=0, pre-check=0', false ); header('Pragma: no-cache' ); -$hash = sha1(erLhcoreClassIPDetect::getIP().$Params['user_parameters']['timets'].erConfigClassLhConfig::getInstance()->getSetting( 'site', 'secrethash' )); +$hash = sha1(erLhcoreClassIPDetect::getIP() . $Params['user_parameters']['timets'] . erConfigClassLhConfig::getInstance()->getSetting( 'site', 'secrethash' )); if ( (time()-$Params['user_parameters']['timets']) > 600 || (time()-($Params['user_parameters']['timets'] - 5)) < 0) { echo json_encode(array('result' => 'false'));
lhc_web/modules/lhinstall/install.php+1 −1 modified@@ -164,7 +164,7 @@ $cfgSite->setSetting( 'db', 'password', $form->DatabasePassword); $cfgSite->setSetting( 'db', 'database', $form->DatabaseDatabaseName); $cfgSite->setSetting( 'db', 'port', $form->DatabasePort); - $cfgSite->setSetting( 'site', 'secrethash', (!empty(getenv('LHC_SECRET_HASH')) ? getenv('LHC_SECRET_HASH') : substr(md5(time() . ":" . mt_rand()),0,10))); + $cfgSite->setSetting( 'site', 'secrethash', (!empty(getenv('LHC_SECRET_HASH')) ? getenv('LHC_SECRET_HASH') : erLhcoreClassChat::generateHash(80))); $cfgSite->save(); $tpl->setFile('lhinstall/install3.tpl.php');
Vulnerability mechanics
Root cause
"The use of a short, low-entropy 10-character MD5 hash for the `secrethash` allows for brute-force attacks."
Attack vector
An attacker can brute-force the weak `secrethash` used in the application. Because the original implementation used a short 10-character string derived from `md5(time() . ":" . mt_rand())`, the entropy is insufficient to prevent unauthorized access or manipulation of features relying on this hash [patch_id=18147]. The advisory does not specify the exact network path or payload shape required to exploit this vulnerability.
Affected code
The vulnerability exists in `lhc_web/cli/lib/install.php` and `lhc_web/modules/lhinstall/install.php`, where the `secrethash` is generated during installation. These files are responsible for initializing the site configuration [patch_id=18147].
What the fix does
The patch replaces the weak 10-character `md5` hash generation with a call to `erLhcoreClassChat::generateHash(80)` [patch_id=18147]. This significantly increases the length and complexity of the `secrethash`, making it resistant to brute-force attacks. The change is applied consistently across both CLI and web-based installation routines [patch_id=18147].
Preconditions
- configThe application must be installed using the vulnerable version of the installation scripts.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vx8v-g3p3-88vgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1235ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/6538d6df3d8a60fee254170b08dd76a161f7bfdcghsax_refsource_MISCWEB
- huntr.dev/bounties/92f7b2d4-fa88-4c62-a2ee-721eebe01705ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.