header-logo
Suggest Exploit
vendor:
Vanilla Forums
by:
Henry Hoggard
8,8
CVSS
HIGH
Insecure Permissions & XSS
79
CWE
Product Name: Vanilla Forums
Affected Version From: 2.0.18.8
Affected Version To: 2.1
Patch Exists: NO
Related CWE: none yet
CPE: a:vanilla_forums:vanilla_forums
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian
2013

Vanilla Forums Insecure Permissions Vulnerability & XSS

When you make a draft you can view it at a URL like: /index.php?p=/post/editdiscussion/0/5. However other accounts can view these drafts by just iterating the number on the end of the url, such as /index.php?p=/post/editdiscussion/0/1, /index.php?p=/post/editdiscussion/0/2, etc. This occurs in the flagging function. Flag a post with any flag reason. Flag the exact same post again, this time with your XSS script <script>alert(1)</script>. The XSS will trigger on the admin dashboard.

Mitigation:

Ensure that all drafts are properly secured and that only authorized users can access them.
Source

Exploit-DB raw data:

# Exploit Title: Vanilla Forums Insecure Permissions Vulnerability
# Date: 15/5/13
# Exploit Author: Henry Hoggard
# Author Website: http://henryhoggard.co.uk
# Vendor Homepage: http://vanillaforums.org    
# Software Link: http://vanillaforums.org
# Version: 2.0.18.8
# Tested on: Debian
# CVE : none yet

When you make a draft you can view it at a URL like:
/index.php?p=/post/editdiscussion/0/5

However other accounts can view these drafts by just iterating the
number on the end of the url, such as
/index.php?p=/post/editdiscussion/0/1
/index.php?p=/post/editdiscussion/0/2
etc

# Exploit Title: Vanilla Forums 2.0.18.8 & 2.1 XSS
# Date: May 12 2013
# Exploit Author: Henry Hoggard
# Author URL: http://henryhoggard.co.uk
# Vendor Homepage: http://vanillaforums.org
# Software Link: http://vanillaforums.org
# Version: Vanilla 2.0.18.8
# Tested on: Debian

This occurs in the flagging function.

Tutorial
Flag a post with any flag reason.

Flag the exact same post again, this time with your XSS script
<script>alert(1)</script>

The XSS will trigger on the admin dashboard.

Navigation

Suggest Exploit

Services By CQR