Vanilla Multiple Vulnerabilities
Vendor: Mark O'Sullivan
Product: Vanilla
Version: <= 1.1.4
Website: http://www.getvanilla.com/
BID: 30748
CVE: CVE-2008-3874 CVE-2008-3758
OSVDB: 47684
SECUNIA: 31527
PACKETSTORM: 69231
Description:
Vanilla is an open-source, standards-compliant, multi-lingual, fully extensible web based discussion forum. Unfortunately there are a couple of issues within Vanilla that allow for a malicious user to steal client based credentials such as cookies. These issues include both script injection and cross site scripting. An updated version of Vanilla has been released and users should upgrade their Vanilla installation as soon as possible.


Cross Site Scripting
There is a Cross Site Scripting issue in Vanilla that allow for theft of client side credentials such as cookies. An example can be found in people.php. This issue is a result of unsanitized GPC variables being displayed to the end user.

/people.php?PostBackAction=Apply&NewPassword='"><script>alert(document.cookie)%3B<%2Fscript>

The above example link would display the end users cookie to them. Of course this can also be used to steal the cookie data as mentioned earlier in this advisory.


Script Injection
There is a script injection issue within Vanilla that may allow for a malicious user to gain admin credentials via cookie theft. The problem is a result of the "Picture", "Icon", and Label => Value pairs within the user account information not being properly escaped. It seems that only strip_tags is used, which is not sufficient. All developers need not forget that if the user supplied data is being placed within a tag, as parameters, then the htmlspecialchars function or a similar equivalent must be used so that quotes are properly escaped. Otherwise we can inject additional parameters in to the affected tag like in the example shown below.

test" onclick=alert(document.cookie); "

By entering the above text in to one of the previously mentioned vulnerable fields an attacker can successfully have the javascript execute in the context of the admin's browser whenever the affected field is clicked.


Solution:
The Vanilla developers have released an updated version of Vanilla which resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be found at the following url.

http://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/


Credits:
James Bercegay of the GulfTech Security Research Team