Vanilla Forums 2.0.18.8 – Multiple Vulnerabilities

• Exploit Database
• 32 阅读

• 作者： Henry Hoggard
  日期： 2013-05-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/25720/

• # Exploit Title: Vanilla Forums Insecure Permissions Vulnerability
  # Date: 15/5/13
  # Exploit Author: Henry Hoggard
  # Author Website: http://henryhoggard.co.uk
  # Vendor Homepage: http://vanillaforums.org
  # Software Link: http://vanillaforums.org
  # Version: 2.0.18.8
  # Tested on: Debian
  # CVE : none yet
  
  When you make a draft you can view it at a URL like:
  /index.php?p=/post/editdiscussion/0/5
  
  However other accounts can view these drafts by just iterating the
  number on the end of the url, such as
  /index.php?p=/post/editdiscussion/0/1
  /index.php?p=/post/editdiscussion/0/2
  etc
  
  # Exploit Title: Vanilla Forums 2.0.18.8 & 2.1 XSS
  # Date: May 12 2013
  # Exploit Author: Henry Hoggard
  # Author URL: http://henryhoggard.co.uk
  # Vendor Homepage: http://vanillaforums.org
  # Software Link: http://vanillaforums.org
  # Version: Vanilla 2.0.18.8
  # Tested on: Debian
  
  This occurs in the flagging function.
  
  Tutorial
  Flag a post with any flag reason.
  
  Flag the exact same post again, this time with your XSS script
  <script>alert(1)</script>
  
  The XSS will trigger on the admin dashboard.