AOH :: HP Unsorted V :: VA1021.HTM

Vanilla <= 1.1.4 Script Injection/ XSS



Vanilla <= 1.1.4 Script Injection/ XSS
Vanilla <= 1.1.4 Script Injection/ XSS



##########################################################
# GulfTech Security Research              August 19, 2008
##########################################################
# Vendor : Mark O'Sullivan
# URL : http://www.getvanilla.com/ 
# Version : Vanilla <= 1.1.4
# Risk : Multiple Vulnerabilities
##########################################################


Description:
Vanilla is an open-source, standards-compliant, multi-lingual,
fully extensible web based discussion forum. Unfortunately there
are a couple of issues within Vanilla that allow for a malicious
user to steal client based credentials such as cookies. These
issues include both script injection and cross site scripting.
An updated version of Vanilla has been released and users should
upgrade their Vanilla installation as soon as possible.



Cross Site Scripting:
There is a Cross Site Scripting issue in Vanilla that allow
for theft of client side credentials such as cookies. An example
can be found in people.php. This issue is a result of unsanitized
GPC variables being displayed to the end user.

/people.php?PostBackAction=Apply&NewPassword='">


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.