Beehive Forum存储型XSS漏洞

Beehive Forum存储型XSS漏洞


发布日期:2015-03-05
更新日期:2015-03-13

受影响系统:

Beehive Beehive 1.4.4

描述:


CVE(CAN) ID: CVE-2015-2198

Beehive是开源的论坛项目。

Beehive Forum 1.4.4版本中,edit_prefs.php存在多个跨站脚本漏洞,通过homepage_url、pic_url、avatar_url参数,远程攻击者可注入任意Web脚本或HTML。

<*来源:Halil Dalabasmaz
  *>

测试方法:


警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 -  Contact with Vendor
21 Feb 2015 -  Vendor Response
22 Feb 2015 -  Vendor Fix
23 Feb 2015 -  Confirm Fix
23 Feb 2015 -  Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert('XSS');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php;

    if (isset($_POST['homepage_url'])) {

        $user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
        $user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
                $error_msg_array[] = gettext("Homepage URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
                $valid = false;
            }
        }
    }

    if (isset($_POST['pic_url'])) {

        $user_prefs['PIC_URL'] = trim($_POST['pic_url']);
        $user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;

        if (strlen(trim($user_prefs['PIC_URL'])) > 0) {

            if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
                $error_msg_array[] = gettext("Picture URL must include http:// schema.");
                $valid = false;

            } else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {

                $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
                $valid = false;
            }
        }
    }

  if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {

      if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
        $error_msg_array[] = gettext("Avatar URL must include http:// schema.");
        $valid = false;

        } else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {

              $error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
              $valid = false;
            }
        }

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all  warranties, either expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.
           
Domain:    www.bga.com.tr
Social:    twitter.com/bgasecurity
Contact:    [email protected]
   
Copyright &#169; 2015 | BGA - Bilgi Güvenli&#287;i Akademisi

建议:


厂商补丁:

Beehive
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://sourceforge.net/p/beehiveforum/news/2015/02/beehive-forum-145-released/

xss

相关推荐