Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Beehive Forum 1.4.4 - Persistent Cross-Site Scripting

🗓️ 23 Feb 2015 00:00:00Reported by Halil DalabasmazType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 22 Views

Beehive Forum v1.4.4 Stored XSS Vulnerability discovered by BGA Security Team on Feb 23, 2015. High severity level. Remote, unauthenticated exploitation

Code
Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in 
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 -   Contact with Vendor
21 Feb 2015	-   Vendor Response
22 Feb 2015 -   Vendor Fix
23 Feb 2015 -   Confirm Fix
23 Feb 2015 -   Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4 

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert('XSS');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php; 

    if (isset($_POST['homepage_url'])) {

        $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
        $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
                $error_msg_array[] = gettext("Homepage URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
                $valid = false;
            }
        }
    }

    if (isset($_POST['pic_url'])) {

        $user_prefs['PIC_URL'] = trim($_POST['pic_url']);
        $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['PIC_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
                $error_msg_array[] = gettext("Picture URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
                $valid = false;
            }
        }
    }

   if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {

      if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
         $error_msg_array[] = gettext("Avatar URL must include http:// schema.");
         $valid = false;

         } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {

               $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
               $valid = false;
            }
        }

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or 
implied, including the warranties of merchantability and capability for 
a particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.
			
Domain:     www.bga.com.tr
Social:     twitter.com/bgasecurity
Contact:    [email protected]
	
Copyright © 2015 | BGA - Bilgi Güvenliği Akademisi

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Feb 2015 00:00Current
7High risk
Vulners AI Score7
beehive forumstored xssbga security teamremoteunauthenticatedvulnerabilityhigh severity
22