Beehive Forum 1.4.4 - Persistent Cross-Site Scripting

EDB-ID:

36154


Platform:

PHP

Published:

2015-02-23

Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in 
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 -   Contact with Vendor
21 Feb 2015	-   Vendor Response
22 Feb 2015 -   Vendor Fix
23 Feb 2015 -   Confirm Fix
23 Feb 2015 -   Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4 

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert('XSS');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php; 

    if (isset($_POST['homepage_url'])) {

        $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
        $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
                $error_msg_array[] = gettext("Homepage URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
                $valid = false;
            }
        }
    }

    if (isset($_POST['pic_url'])) {

        $user_prefs['PIC_URL'] = trim($_POST['pic_url']);
        $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['PIC_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
                $error_msg_array[] = gettext("Picture URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
                $valid = false;
            }
        }
    }

   if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {

      if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
         $error_msg_array[] = gettext("Avatar URL must include http:// schema.");
         $valid = false;

         } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {

               $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
               $valid = false;
            }
        }

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or 
implied, including the warranties of merchantability and capability for 
a particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.
			
Domain:     www.bga.com.tr
Social:     twitter.com/bgasecurity
Contact:    advisory@bga.com.tr
	
Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi