# Exploit Title: Vanilla Forums Insecure Permissions Vulnerability# Date: 15/5/13# Exploit Author: Henry Hoggard# Author Website: http://henryhoggard.co.uk# Vendor Homepage: http://vanillaforums.org# Software Link: http://vanillaforums.org# Version: 2.0.18.8# Tested on: Debian# CVE : none yet
When you make a draft you can view it at a URL like:/index.php?p=/post/editdiscussion/0/5
However other accounts can view these drafts by just iterating the
number on the end of the url, such as/index.php?p=/post/editdiscussion/0/1/index.php?p=/post/editdiscussion/0/2
etc
# Exploit Title: Vanilla Forums 2.0.18.8 & 2.1 XSS# Date: May 12 2013# Exploit Author: Henry Hoggard# Author URL: http://henryhoggard.co.uk# Vendor Homepage: http://vanillaforums.org# Software Link: http://vanillaforums.org# Version: Vanilla 2.0.18.8# Tested on: Debian
This occurs in the flagging function.
Tutorial
Flag a post withany flag reason.
Flag the exact same post again, this time with your XSS script
<script>alert(1)</script>
The XSS will trigger on the admin dashboard.
