DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURITYVULNS:DOC:20384", "bulletinFamily": "software", "title": "Vanilla <= 1.1.4 Script Injection/ XSS", "description": "##########################################################\r\n# GulfTech Security Research August 19, 2008\r\n##########################################################\r\n# Vendor : Mark O'Sullivan\r\n# URL : http://www.getvanilla.com/\r\n# Version : Vanilla <= 1.1.4\r\n# Risk : Multiple Vulnerabilities\r\n##########################################################\r\n\r\n\r\nDescription:\r\nVanilla is an open-source, standards-compliant, multi-lingual,\r\nfully extensible web based discussion forum. Unfortunately there\r\nare a couple of issues within Vanilla that allow for a malicious\r\nuser to steal client based credentials such as cookies. These\r\nissues include both script injection and cross site scripting.\r\nAn updated version of Vanilla has been released and users should\r\nupgrade their Vanilla installation as soon as possible.\r\n\r\n\r\n\r\nCross Site Scripting:\r\nThere is a Cross Site Scripting issue in Vanilla that allow\r\nfor theft of client side credentials such as cookies. An example\r\ncan be found in people.php. This issue is a result of unsanitized\r\nGPC variables being displayed to the end user.\r\n\r\n/people.php?PostBackAction=Apply&NewPassword='"><script>alert\r\n(document.cookie)%3B<%2Fscript>\r\n\r\nThe above example link would display the end users cookie to\r\nthem. Of course this can also be used to steal the cookie data\r\nas mentioned earlier in this advisory.\r\n\r\n\r\n\r\nScript Injection:\r\nThere is a script injection issue within Vanilla that may allow\r\nfor a malicious user to gain admin credentials via cookie theft.\r\nThe problem is a result of the "Picture", "Icon", and Label => Value\r\npairs within the user account information not being properly escaped.\r\nIt seems that only strip_tags is used, which is not sufficient. All\r\ndevelopers need not forget that if the user supplied data is being\r\nplaced within a tag, as parameters, then the htmlspecialchars\r\nfunction or a similar equivalent must be used so that quotes are\r\nproperly escaped. Otherwise we can inject additional parameters in\r\nto the affected tag like in the example shown below.\r\n\r\ntest" onclick=alert(document.cookie); "\r\n\r\nBy entering the above text in to one of the previously mentioned\r\nvulnerable fields an attacker can successfully have the javascript\r\nexecute in the context of the admin's browser whenever the affected\r\nfield is clicked.\r\n\r\n\r\n\r\nSolution:\r\nThe Vanilla developers have released an updated version of Vanilla\r\nwhich resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be\r\nfound at the following url\r\n\r\nhttp://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/\r\n\r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team\r\n\r\n\r\n\r\nRelated Info:\r\nThe original advisory can be found at the following location\r\nhttp://www.gulftech.org/?node=research&article_id=00126-08192008", "published": "2008-08-19T00:00:00", "modified": "2008-08-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20384", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9233"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9233"]}]}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645565731, "score": 1659803227}, "_internal": {"score_hash": "f025362e7f23622ecc2e02f7d3787e8a"}}

{}