CVE-2005-4461

An unauthenticated remote attacker sends an HTTP GET request to `index.php` with a malicious `user_sess` parameter, e.g., `http://example.com/beehive/index.php?user_sess=k`. When PHP's `register_globals` is enabled, this overrides the `$user_sess` variable that was set by `bh_session_check()`. The unsanitized value is then interpolated into a SQL query, allowing arbitrary SQL commands to be executed [ref_id=1]. No authentication is required and the attack complexity is low [ref_id=1].

The vulnerability is in `index.php` of Beehive Forum 0.6.2 and earlier. The `$user_sess` variable is set via `bh_session_check(false)` but when `register_globals` is enabled, an attacker can override it by supplying `user_sess` as a query parameter. The unsanitized value is then used directly in a SQL query, as shown in the error message: `USER_FORUM.UID = k` where `k` is the injected value [ref_id=1].

No vendor-supplied patch was available at the time of disclosure [ref_id=1]. The advisory recommends that users disable `register_globals` in PHP configuration as a mitigation, since the vulnerability is only exploitable when that setting is enabled. A proper fix would involve initializing `$user_sess` before any user input can override it, or using input validation/sanitization on the parameter before it is used in SQL queries.

Visit `http://example.com/beehive/index.php?user_sess=k` with a browser. The server will return an SQL error indicating the injected value `k` was used in the query clause `USER_FORUM.UID = k` [ref_id=1]. For SQL injection, replace `k` with a crafted SQL payload such as `1+MYFORUM` or a UNION-based injection [ref_id=1].