##########################################################
# GulfTech Security Research August 19, 2008
##########################################################
# Vendor : Mark O'Sullivan
# URL : http://www.getvanilla.com/
# Version : Vanilla <= 1.1.4
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Vanilla is an open-source, standards-compliant, multi-lingual,
fully extensible web based discussion forum. Unfortunately there
are a couple of issues within Vanilla that allow for a malicious
user to steal client based credentials such as cookies. These
issues include both script injection and cross site scripting.
An updated version of Vanilla has been released and users should
upgrade their Vanilla installation as soon as possible.
Cross Site Scripting:
There is a Cross Site Scripting issue in Vanilla that allow
for theft of client side credentials such as cookies. An example
can be found in people.php. This issue is a result of unsanitized
GPC variables being displayed to the end user.
/people.php?PostBackAction=Apply&NewPassword='"><script>alert
(document.cookie)%3B<%2Fscript>
The above example link would display the end users cookie to
them. Of course this can also be used to steal the cookie data
as mentioned earlier in this advisory.
Script Injection:
There is a script injection issue within Vanilla that may allow
for a malicious user to gain admin credentials via cookie theft.
The problem is a result of the "Picture", "Icon", and Label => Value
pairs within the user account information not being properly escaped.
It seems that only strip_tags is used, which is not sufficient. All
developers need not forget that if the user supplied data is being
placed within a tag, as parameters, then the htmlspecialchars
function or a similar equivalent must be used so that quotes are
properly escaped. Otherwise we can inject additional parameters in
to the affected tag like in the example shown below.
test" onclick=alert(document.cookie); "
By entering the above text in to one of the previously mentioned
vulnerable fields an attacker can successfully have the javascript
execute in the context of the admin's browser whenever the affected
field is clicked.
Solution:
The Vanilla developers have released an updated version of Vanilla
which resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be
found at the following url
http://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/
Credits:
James Bercegay of the GulfTech Security Research Team
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00126-08192008
{"id": "SECURITYVULNS:DOC:20384", "bulletinFamily": "software", "title": "Vanilla <= 1.1.4 Script Injection/ XSS", "description": "##########################################################\r\n# GulfTech Security Research August 19, 2008\r\n##########################################################\r\n# Vendor : Mark O'Sullivan\r\n# URL : http://www.getvanilla.com/\r\n# Version : Vanilla <= 1.1.4\r\n# Risk : Multiple Vulnerabilities\r\n##########################################################\r\n\r\n\r\nDescription:\r\nVanilla is an open-source, standards-compliant, multi-lingual,\r\nfully extensible web based discussion forum. Unfortunately there\r\nare a couple of issues within Vanilla that allow for a malicious\r\nuser to steal client based credentials such as cookies. These\r\nissues include both script injection and cross site scripting.\r\nAn updated version of Vanilla has been released and users should\r\nupgrade their Vanilla installation as soon as possible.\r\n\r\n\r\n\r\nCross Site Scripting:\r\nThere is a Cross Site Scripting issue in Vanilla that allow\r\nfor theft of client side credentials such as cookies. An example\r\ncan be found in people.php. This issue is a result of unsanitized\r\nGPC variables being displayed to the end user.\r\n\r\n/people.php?PostBackAction=Apply&NewPassword='"><script>alert\r\n(document.cookie)%3B<%2Fscript>\r\n\r\nThe above example link would display the end users cookie to\r\nthem. Of course this can also be used to steal the cookie data\r\nas mentioned earlier in this advisory.\r\n\r\n\r\n\r\nScript Injection:\r\nThere is a script injection issue within Vanilla that may allow\r\nfor a malicious user to gain admin credentials via cookie theft.\r\nThe problem is a result of the "Picture", "Icon", and Label => Value\r\npairs within the user account information not being properly escaped.\r\nIt seems that only strip_tags is used, which is not sufficient. All\r\ndevelopers need not forget that if the user supplied data is being\r\nplaced within a tag, as parameters, then the htmlspecialchars\r\nfunction or a similar equivalent must be used so that quotes are\r\nproperly escaped. Otherwise we can inject additional parameters in\r\nto the affected tag like in the example shown below.\r\n\r\ntest" onclick=alert(document.cookie); "\r\n\r\nBy entering the above text in to one of the previously mentioned\r\nvulnerable fields an attacker can successfully have the javascript\r\nexecute in the context of the admin's browser whenever the affected\r\nfield is clicked.\r\n\r\n\r\n\r\nSolution:\r\nThe Vanilla developers have released an updated version of Vanilla\r\nwhich resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be\r\nfound at the following url\r\n\r\nhttp://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/\r\n\r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team\r\n\r\n\r\n\r\nRelated Info:\r\nThe original advisory can be found at the following location\r\nhttp://www.gulftech.org/?node=research&article_id=00126-08192008", "published": "2008-08-19T00:00:00", "modified": "2008-08-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20384", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9233"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9233"]}]}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645565731, "score": 1659803227}, "_internal": {"score_hash": "f025362e7f23622ecc2e02f7d3787e8a"}}