扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
Document Title: ============ Beehive Forum v1.4.4 Stored XSS Vulnerability Author: ============== Halil Dalabasmaz Release Date: =========== 23 Feb 2015 Product & Service Introduction: ======================== Beehive is an open-source project for creating a high-configurable frame-based discussion forum. Vendor Homepage: ================= http://www.beehiveforum.co.uk Abstract Advisory Information: ======================= BGA Security Team discovered an Stored XSS vulnerability in Beehive Forum v1.4.4 Vulnerability Disclosure Timeline: ========================= 20 Feb 2015 - Contact with Vendor 21 Feb 2015 - Vendor Response 22 Feb 2015 - Vendor Fix 23 Feb 2015 - Confirm Fix 23 Feb 2015 - Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Beehive Forum v1.4.4 Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== Stored XSS Tested On: ============ Iceweasel & Chromium Sample Payload: ================= http://"><script>alert('XSS');</script> Proof of Concept (PoC): ======================= Proof of Concept The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section. Following line contain the vulnerability in edit_prefs.php; if (isset($_POST['homepage_url'])) { $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']); $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true; if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) { $error_msg_array[] = gettext("Homepage URL must include http:// schema."); $valid = false; } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL")); $valid = false; } } } if (isset($_POST['pic_url'])) { $user_prefs['PIC_URL'] = trim($_POST['pic_url']); $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true; if (strlen(trim($user_prefs['PIC_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) { $error_msg_array[] = gettext("Picture URL must include http:// schema."); $valid = false; } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL")); $valid = false; } } } if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) { if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) { $error_msg_array[] = gettext("Avatar URL must include http:// schema."); $valid = false; } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) { $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL")); $valid = false; } } Solution Fix & Patch: ================ Upgrade the the script. Security Risk: ========== The risk of the vulnerabilities above estimated as high. Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims allwarranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact:advisory@bga.com.tr Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi |
体验盒子
