[VIM] Chipmunk XSS is likely resultant from SQL injection
Steven M. Christey
coley at mitre.org
Sun Oct 23 01:25:07 EDT 2005
I'm not in the mood at this instant to deal with this entirely, but I
thought I'd mention it:
XSS & Path Disclosure in Chipmunk's products
http://marc.theaimsgroup.com/?l=bugtraq&m=112982490104274&w=2
This is likely another example of primary SQL injection with resultant
XSS from an error message, being labeled only as XSS by the
researcher.
A download of the Forum product and a quick glance at quote.php shows
that the $forumID variable is used in several SQL queries, e.g.:
> $getforuminfo="SELECT * from b_forums where ID='$forumID'";
and
> $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, threadparent, postforum, lastpost,nosmilies,ipaddress ) values ('$name', '$title', '$post', '$day', '$timegone', '$threadparent', '$forumID','$user','$nosmiley','$s')";
Interestingly, later vectors in the code suggest there might be real
XSS.
- Steve
More information about the VIM
mailing list