Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Beehive Forum Multiple Vulnerabilities

from [thegreatone2176] Network Security [Permanent Link]
Subject: Beehive Forum Multiple Vulnerabilities
Date: 25 Jul 2005 04:29:06 -0000 
--------------------------------------
Beehive Forum Multiple Vulnerabilities
--------------------------------------

Beehive Forum is affected by sql injection, xss, and path disclosure.

Vulnerabilities
---------------

1) The $_GET "webtag" parameter is on almost every page of the product and is 
vulnerable to sql injection, but because of the large number of pages ( I am 
guessing around 25 ) I will not put them all here. Also xss can be performed in 
this parameter by putting a leading ' in front of the javascript such as:

forum/index.php?webtag='<script>alert(document.cookie);</script>

2) Inputting an offsite link such as http://www.google.com to the "final_uri" 
parameter of index.php results in path disclosure. Inputting ' as the "sort_by" 
parameter on index.php also results in path disclosure.

3) Inside of the includes folder, directly visiting many of the pages result in 
path disclosure. This occurs by the way the code calls the includes. For 
example in admin.php one of the first lines is:

// Constant to define where the include files are
define("BH_INCLUDE_PATH", "./include/");

now when you visit one of the includes pages you get an error of:

Warning: main(BH_INCLUDE_PATHconstants.inc.php) [function.main]: failed to open 
stream ....

so since BH_INCLUDE_PATH is defined on each page it cannot be properly used 
inside the include. A few of the pages /forum/include ( way too many to list, I 
counted 29 total ) are affected by this issue. I listed a few here:

admin.php
attachments.inc.php
banned.inc.php
beehive.inc.php
constants.inc.php
db.inc.php
dictionary.inc.php 

4) /forum/search_index.php produces path disclosure for the same reasons as 
mentioned above in part 3.

Solutions
---------

1) The normal cleansing of variables before use in an sql query.

2) Check the page before redirecting to it.

3) On all the affected pages put code to check if the file is directly accessed 
and if it is then have it die.

4) same as 3

Credits
-------
tgo thegreatone2176@yahoo.com

Greets
------
Zak, Elohimus, and teabag
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Beehive Forum Multiple Vulnerabilities, thegreatone2176 <=
Previous by Date:  Chroot Security Group Advisory 2005-07-25 -- ftplocate, [at]
Next by Date:  Corsaire Security Advisory: SAP Internet Graphics Server traversal issue, advisories
Previous by Thread:  Chroot Security Group Advisory 2005-07-25 -- ftplocate, [at]
Next by Thread:  Corsaire Security Advisory: SAP Internet Graphics Server traversal issue, advisories
Indexes:  [Date] [Thread] [Top] [All Lists]