vanilla-xss.txt

`##########################################################  
# GulfTech Security Research August 19, 2008  
##########################################################  
# Vendor : Mark O'Sullivan  
# URL : http://www.getvanilla.com/  
# Version : Vanilla <= 1.1.4  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
Description:  
Vanilla is an open-source, standards-compliant, multi-lingual,  
fully extensible web based discussion forum. Unfortunately there  
are a couple of issues within Vanilla that allow for a malicious  
user to steal client based credentials such as cookies. These  
issues include both script injection and cross site scripting.  
An updated version of Vanilla has been released and users should  
upgrade their Vanilla installation as soon as possible.  
  
  
  
Cross Site Scripting:  
There is a Cross Site Scripting issue in Vanilla that allow  
for theft of client side credentials such as cookies. An example  
can be found in people.php. This issue is a result of unsanitized  
GPC variables being displayed to the end user.  
  
/people.php?PostBackAction=Apply&NewPassword='"><script>alert  
(document.cookie)%3B<%2Fscript>  
  
The above example link would display the end users cookie to  
them. Of course this can also be used to steal the cookie data  
as mentioned earlier in this advisory.  
  
  
  
Script Injection:  
There is a script injection issue within Vanilla that may allow  
for a malicious user to gain admin credentials via cookie theft.  
The problem is a result of the "Picture", "Icon", and Label => Value  
pairs within the user account information not being properly escaped.  
It seems that only strip_tags is used, which is not sufficient. All  
developers need not forget that if the user supplied data is being  
placed within a tag, as parameters, then the htmlspecialchars  
function or a similar equivalent must be used so that quotes are  
properly escaped. Otherwise we can inject additional parameters in  
to the affected tag like in the example shown below.  
  
test" onclick=alert(document.cookie); "  
  
By entering the above text in to one of the previously mentioned  
vulnerable fields an attacker can successfully have the javascript  
execute in the context of the admin's browser whenever the affected  
field is clicked.  
  
  
  
Solution:  
The Vanilla developers have released an updated version of Vanilla  
which resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be  
found at the following url  
  
http://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00126-08192008  
`