Secunia

Community Login

Customer Login

Partner Login

Overview

Advisories

Research

Forums

Create Profile

Our Commitment

Database

Advisories by Product

Advisories by Vendor

Terminology

Report Vulnerability

Insecure Library Loading

Secunia Advisory SA31527

Vanilla Multiple Vulnerabilities

Secunia Advisory

SA31527

Get alerted and manage the vulnerability life cycle

Release Date

2008-08-20

Last Update

2008-09-04

Popularity

4,411 views

Comments

0 comments

Criticality level

Less critical

Impact

Cross Site Scripting

Where

From remote

Authentication level

Available in Customer Area

Report reliability

Available in Customer Area

Solution Status

Partial Fix

Systems affected

Available in Customer Area

Approve distribution

Available in Customer Area

Software:

Vanilla 1.x

Secunia CVSS Score

Available in Customer Area

CVE Reference(s)

CVE-2008-3758 CVSS available in Customer Area
CVE-2008-3759 CVSS available in Customer Area
CVE-2008-3760 CVSS available in Customer Area
CVE-2008-3874 CVSS available in Customer Area

Description

Some vulnerabilities have been reported in Vanilla, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

1) Input passed to the "NewPassword" parameter in people.php (when "PostBackAction" is set to "Apply") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "Account picture", "Icon", and "Value" (under "Add custom information") form fields in account.php is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML attributes, which are executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation of this vulnerability requires that the attacker has valid user credentials and that the victim has valid administrator credentials.

3) A vulnerability in ajax/UpdateCheck.php is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. No further information is currently available.

4) A vulnerability in the sign-out functionality is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. No further information is currently available.

The vulnerabilities are reported in version 1.1.4. Other versions may also be affected.

Solution
All vulnerabilities except for the "Value" form field in #2 are fixed in version 1.1.5-rc1.
Further details available in Customer Area

Provided and/or discovered by
1, 2) James Bercegay, GulfTech Security Research Team
3) Dinoboff
4) ggaudrea

Changelog
Further details available in Customer Area

Original Advisory
Vanilla:
http://lussumo.com/community/discussion/8559/vanilla-115-release-candidate-1/

GulfTech:
http://www.gulftech.org/?node=research&article_id=00126-08192008

Deep Links
Links available in Customer Area

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Vanilla Multiple Vulnerabilities

No posts yet

Secunia

Secunia Advisory SA31527

Vanilla Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?