Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12568
HistoryMay 07, 2006 - 12:00 a.m.

ChipmunkBoard Multiple Attack vectors

2006-05-0700:00:00
vulners.com
5

ChipmunkBoard Multiple Attack vectors

Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)

It is possible to insert the following javascript in the BBcode or supply it as your avatar url:

javascript:alert(%27xss%27);

Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned off.

SQL injection is as follows (quite odd), replace whateveruser with the username you want to log in as:

a' or ('1' = '1' AND username = 'whateveruser') or '2' = '2

The vulnerable code lies in:

$query = "select * from b_users where username='$username' and password='$password' and validated='1'";

Nomenumbra/[0x4F4C]