lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050725042906.18781.qmail@securityfocus.com>
Date: 25 Jul 2005 04:29:06 -0000
From: thegreatone2176@...oo.com
To: bugtraq@...urityfocus.com
Subject: Beehive Forum Multiple Vulnerabilities


--------------------------------------
Beehive Forum Multiple Vulnerabilities
--------------------------------------

Beehive Forum is affected by sql injection, xss, and path disclosure.

Vulnerabilities
---------------

1) The $_GET "webtag" parameter is on almost every page of the product and is vulnerable to sql injection, but because of the large number of pages ( I am guessing around 25 ) I will not put them all here. Also xss can be performed in this parameter by putting a leading ' in front of the javascript such as:

forum/index.php?webtag='<script>alert(document.cookie);</script>

2) Inputting an offsite link such as http://www.google.com to the "final_uri" parameter of index.php results in path disclosure. Inputting ' as the "sort_by" parameter on index.php also results in path disclosure.

3) Inside of the includes folder, directly visiting many of the pages result in path disclosure. This occurs by the way the code calls the includes. For example in admin.php one of the first lines is:

// Constant to define where the include files are
define("BH_INCLUDE_PATH", "./include/");

now when you visit one of the includes pages you get an error of:

Warning: main(BH_INCLUDE_PATHconstants.inc.php) [function.main]: failed to open stream ....

so since BH_INCLUDE_PATH is defined on each page it cannot be properly used inside the include. A few of the pages /forum/include ( way too many to list, I counted 29 total ) are affected by this issue. I listed a few here:

admin.php
attachments.inc.php
banned.inc.php
beehive.inc.php
constants.inc.php
db.inc.php
dictionary.inc.php 

4) /forum/search_index.php produces path disclosure for the same reasons as mentioned above in part 3.

Solutions
---------

1) The normal cleansing of variables before use in an sql query.

2) Check the page before redirecting to it.

3) On all the affected pages put code to check if the file is directly accessed and if it is then have it die.

4) same as 3

Credits
-------
tgo thegreatone2176@...oo.com

Greets
------
Zak, Elohimus, and teabag


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ