Document Title: ============ Beehive Forum v1.4.4 Stored XSS Vulnerability Author: ============== Halil Dalabasmaz Release Date: =========== 23 Feb 2015 Product & Service Introduction: ======================== Beehive is an open-source project for creating a high-configurable frame-based discussion forum. Vendor Homepage: ================= http://www.beehiveforum.co.uk Abstract Advisory Information: ======================= BGA Security Team discovered an Stored XSS vulnerability in Beehive Forum v1.4.4 Vulnerability Disclosure Timeline: ========================= 20 Feb 2015 - Contact with Vendor 21 Feb 2015 - Vendor Response 22 Feb 2015 - Vendor Fix 23 Feb 2015 - Confirm Fix 23 Feb 2015 - Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Beehive Forum v1.4.4 Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== Stored XSS Tested On: ============ Iceweasel & Chromium Sample Payload: ================= http://"> Proof of Concept (PoC): ======================= Proof of Concept The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section. Following line contain the vulnerability in edit_prefs.php; if (isset($_POST['homepage_url'])) { $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']); $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true; if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) { $error_msg_array[] = gettext("Homepage URL must include http:// schema."); $valid = false; } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL")); $valid = false; } } } if (isset($_POST['pic_url'])) { $user_prefs['PIC_URL'] = trim($_POST['pic_url']); $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true; if (strlen(trim($user_prefs['PIC_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) { $error_msg_array[] = gettext("Picture URL must include http:// schema."); $valid = false; } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL")); $valid = false; } } } if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) { $error_msg_array[] = gettext("Avatar URL must include http:// schema."); $valid = false; } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL")); $valid = false; } } Solution Fix & Patch: ================ Upgrade the the script. Security Risk: ========== The risk of the vulnerabilities above estimated as high. Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi