Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability
Author:
==============
Halil Dalabasmaz
Release Date:
===========
23 Feb 2015
Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.
Vendor Homepage:
=================
http://www.beehiveforum.co.uk
Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in
Beehive Forum v1.4.4
Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 - Contact with Vendor
21 Feb 2015 - Vendor Response
22 Feb 2015 - Vendor Fix
23 Feb 2015 - Confirm Fix
23 Feb 2015 - Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Beehive Forum v1.4.4
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
Stored XSS
Tested On:
============
Iceweasel & Chromium
Sample Payload:
=================
http://"><script>alert('XSS');</script>
Proof of Concept (PoC):
=======================
Proof of Concept
The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php;
if (isset($_POST['homepage_url'])) {
$user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
$user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;
if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
$error_msg_array[] = gettext("Homepage URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
$valid = false;
}
}
}
if (isset($_POST['pic_url'])) {
$user_prefs['PIC_URL'] = trim($_POST['pic_url']);
$user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;
if (strlen(trim($user_prefs['PIC_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
$error_msg_array[] = gettext("Picture URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
$valid = false;
}
}
}
if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
$error_msg_array[] = gettext("Avatar URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
$valid = false;
}
}
Solution Fix & Patch:
================
Upgrade the the script.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright 2015 | BGA