Beehive Forum存储型XSS漏洞
CVE-ID:CVE-2015-2198
发布日期：2015-03-05
更新日期：2015-03-13
受影响系统：
Beehive Beehive 1.4.4
详细信息：

Beehive是开源的论坛项目。

Beehive Forum 1.4.4版本中，edit_prefs.php存在多个跨站脚本漏洞，通过homepage_url、pic_url、avatar_url参数，远程攻击者可注入任意Web脚本或HTML。


来源：
Halil Dalabasmaz
测试方法：
警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability

Author:
==============
Halil Dalabasmaz

Release Date:
===========
23 Feb 2015

Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.

Vendor Homepage:
=================
http://www.beehiveforum.co.uk

Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in
Beehive Forum v1.4.4

Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 - Contact with Vendor
21 Feb 2015 - Vendor Response
22 Feb 2015 - Vendor Fix
23 Feb 2015 - Confirm Fix
23 Feb 2015 - Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Beehive Forum v1.4.4

Exploitation Technique:
==================
Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
Stored XSS

Tested On:
============
Iceweasel & Chromium

Sample Payload:
=================
http://"><script>alert(\'XSS\');</script>

Proof of Concept (PoC):
=======================
Proof of Concept

The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php;

if (isset($_POST[\'homepage_url\'])) {

$user_prefs[\'HOMEPAGE_URL\'] = trim($_POST[\'homepage_url\']);
$user_prefs_global[\'HOMEPAGE_URL\'] = (isset($_POST[\'homepage_url_global\'])) ? $_POST[\'homepage_url_global\'] == "Y" : true;

if (strlen(trim($user_prefs[\'HOMEPAGE_URL\'])) > 0) {

if (preg_match(\'/^http:\\/\\//u\', $user_prefs[\'HOMEPAGE_URL\']) < 1) {
$error_msg_array[] = gettext("Homepage URL must include http:// schema.");
$valid = false;

} else if (!user_check_pref(\'HOMEPAGE_URL\', $user_prefs[\'HOMEPAGE_URL\'])) {

$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
$valid = false;
}
}
}

if (isset($_POST[\'pic_url\'])) {

$user_prefs[\'PIC_URL\'] = trim($_POST[\'pic_url\']);
$user_prefs_global[\'PIC_URL\'] = (isset($_POST[\'pic_url_global\'])) ? $_POST[\'pic_url_global\'] == "Y" : true;

if (strlen(trim($user_prefs[\'PIC_URL\'])) > 0) {

if (preg_match(\'/^http:\\/\\//u\', $user_prefs[\'PIC_URL\']) < 1) {
$error_msg_array[] = gettext("Picture URL must include http:// schema.");
$valid = false;

} else if (!user_check_pref(\'PIC_URL\', $user_prefs[\'PIC_URL\'])) {

$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
$valid = false;
}
}
}

if (strlen(trim($user_prefs[\'AVATAR_URL\'])) > 0) {

if (preg_match(\'/^http:\\/\\//u\', $user_prefs[\'AVATAR_URL\']) < 1) {
$error_msg_array[] = gettext("Avatar URL must include http:// schema.");
$valid = false;

} else if (!user_check_pref(\'AVATAR_URL\', $user_prefs[\'AVATAR_URL\'])) {

$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
$valid = false;
}
}

Solution Fix & Patch:
================
Upgrade the the script.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.

Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr

Copyright &#169; 2015 | BGA - Bilgi Güvenli&#287;i Akademisi
解决办法：
厂商补丁：

Beehive
-------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://sourceforge.net/p/beehiveforum/news/2015/02/beehive-forum-145-released/