Beehive Forum v1.4.4 Stored XSS Vulnerability

vendor:

Beehive Forum

by:

Halil Dalabasmaz

7.5

CVSS

HIGH

Stored XSS

CWE

Product Name: Beehive Forum

Affected Version From: Beehive Forum v1.4.4

Affected Version To: Beehive Forum v1.4.4

Patch Exists: YES

Related CWE: N/A

CPE: a:beehiveforum:beehive_forum

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Iceweasel & Chromium

2015

Beehive Forum v1.4.4 Stored XSS Vulnerability

BGA Security Team discovered an Stored XSS vulnerability in Beehive Forum v1.4.4. The vulnerable inputs are 'Homepage URL', 'Picture URL' and 'Avatar URL' on Profile Section. Following line contain the vulnerability in edit_prefs.php; if (isset($_POST['homepage_url'])) { $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']); $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == 'Y' : true; if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) { if (preg_match('/^http:///u', $user_prefs['HOMEPAGE_URL']) < 1) { $error_msg_array[] = gettext('Homepage URL must include http:// schema.'); $valid = false; } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) { $error_msg_array[] = sprintf(gettext('%s is not a valid Homepage URL'), $user_prefs['HOMEPAGE_URL']); $valid = false; } } }

Mitigation:

Ensure that user input is properly sanitized and validated before being stored and displayed.

Source

Exploit-DB raw data:

Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in 
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 -   Contact with Vendor
21 Feb 2015	-   Vendor Response
22 Feb 2015 -   Vendor Fix
23 Feb 2015 -   Confirm Fix
23 Feb 2015 -   Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4 

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert('XSS');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php; 

    if (isset($_POST['homepage_url'])) {

        $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
        $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
                $error_msg_array[] = gettext("Homepage URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
                $valid = false;
            }
        }
    }

    if (isset($_POST['pic_url'])) {

        $user_prefs['PIC_URL'] = trim($_POST['pic_url']);
        $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['PIC_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
                $error_msg_array[] = gettext("Picture URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
                $valid = false;
            }
        }
    }

   if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {

      if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
         $error_msg_array[] = gettext("Avatar URL must include http:// schema.");
         $valid = false;

         } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {

               $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
               $valid = false;
            }
        }

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or 
implied, including the warranties of merchantability and capability for 
a particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.
			
Domain:     www.bga.com.tr
Social:     twitter.com/bgasecurity
Contact:    advisory@bga.com.tr
	
Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi