Products: Chipmunk >> ( Forum , Topsites , Directory ) , [ Guestbook ] Versions: Tested: Last released of products Vendor: http://chipmunk-scripts.com Bug: ( XSS ) , [ Path Disclosure ] Exploitation: Remote --------------------------- Introduction: Chipmunk Forum is a small yet flexible and fully featured forum system. Chipmunk Topsites is a flexible topsite system utilizing PHP4/mysql. Chipmunk Directory is a powerful link indexing script. Chipmunk Guestbook is an easy to use yet powerful guestbook with a customizable layout --------------------------- vulnerability:XSS ( Forum , Topsites , Directory ) XSS Vulnerability in multiple PHP pages that may allow a remote user to launch cross-site scripting attacks. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. vulnerability:Path Disclosure [ Guestbook ] A remote user can supply a specially crafted URL to cause the system to display an error message that discloses the installation path and other data. ---------------------------- Demonstration XSS URL : http://example.com/board/newtopic.php?forumID='%3C/a>%3CIFRAME%20SRC=javascript:alert(%2527xss%2527)%3E%3C/IFRAME%3E http://example.com/board/quote.php?forumID='%3C/a>%3CIFRAME%20SRC=javascript:alert(%2527xss%2527)%3E%3C/IFRAME%3E & [ board/index.php , board/reply.php ] http://example.com/topsites/recommend.php?ID='%3C/a>%3CIFRAME%20SRC=javascript:alert(%2527xss%2527)%3E%3C/IFRAME%3E http://example.com/directory/recommend.php?entryID='%3C/a>%3CIFRAME%20SRC=javascript:alert(%2527xss%2527)%3E%3C/IFRAME%3E Demonstration Path Disclosure URL : http://example.com/guestbook/index.php?start=' ----------------------------- Solution: There is no vendor-supplied patch for this issue at this time. ------------------------------- Credits: Discovered & released by trueend5 Security Science Researchers Institute Of Iran [KAPDA.ir] Original Advisory: http://irannetjob.com/content/view/148/28/ __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com