lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Aug 2008 09:38:50 -0500
From: GulfTech Security Research <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: Vanilla <= 1.1.4 Script Injection/ XSS

##########################################################
# GulfTech Security Research              August 19, 2008
##########################################################
# Vendor : Mark O'Sullivan
# URL : http://www.getvanilla.com/
# Version : Vanilla <= 1.1.4
# Risk : Multiple Vulnerabilities
##########################################################


Description:
Vanilla is an open-source, standards-compliant, multi-lingual,
fully extensible web based discussion forum. Unfortunately there
are a couple of issues within Vanilla that allow for a malicious
user to steal client based credentials such as cookies. These
issues include both script injection and cross site scripting.
An updated version of Vanilla has been released and users should
upgrade their Vanilla installation as soon as possible.



Cross Site Scripting:
There is a Cross Site Scripting issue in Vanilla that allow
for theft of client side credentials such as cookies. An example
can be found in people.php. This issue is a result of unsanitized
GPC variables being displayed to the end user.

/people.php?PostBackAction=Apply&NewPassword='"><script>alert
(document.cookie)%3B<%2Fscript>

The above example link would display the end users cookie to
them. Of course this can also be used to steal the cookie data
as mentioned earlier in this advisory.



Script Injection:
There is a script injection issue within Vanilla that may allow
for a malicious user to gain admin credentials via cookie theft.
The problem is a result of the "Picture", "Icon", and Label => Value
pairs within the user account information not being properly escaped.
It seems that only strip_tags is used, which is not sufficient. All
developers need not forget that if the user supplied data is being
placed within a tag, as parameters, then the htmlspecialchars
function or a similar equivalent must be used so that quotes are
properly escaped. Otherwise we can inject additional parameters in
to the affected tag like in the example shown below.

test" onclick=alert(document.cookie); "

By entering the above text in to one of the previously mentioned
vulnerable fields an attacker can successfully have the javascript
execute in the context of the admin's browser whenever the affected
field is clicked.



Solution:
The Vanilla developers have released an updated version of Vanilla
which resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be
found at the following url

http://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00126-08192008

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ