SecurityReason - Vanilla <= 1.1.4 Script Injection/ XSS

Advisory Text :

##########################################################
# GulfTech Security Research August 19, 2008
##########################################################
# Vendor : Mark O'Sullivan
# URL : http://www.getvanilla.com/
# Version : Vanilla <= 1.1.4
# Risk : Multiple Vulnerabilities
##########################################################

Description:
Vanilla is an open-source, standards-compliant, multi-lingual,
fully extensible web based discussion forum. Unfortunately there
are a couple of issues within Vanilla that allow for a malicious
user to steal client based credentials such as cookies. These
issues include both script injection and cross site scripting.
An updated version of Vanilla has been released and users should
upgrade their Vanilla installation as soon as possible.

Cross Site Scripting:
There is a Cross Site Scripting issue in Vanilla that allow
for theft of client side credentials such as cookies. An example
can be found in people.php. This issue is a result of unsanitized
GPC variables being displayed to the end user.

/people.php?PostBackAction=Apply&NewPassword='"><script>alert
(document.cookie)%3B<%2Fscript>

The above example link would display the end users cookie to
them. Of course this can also be used to steal the cookie data
as mentioned earlier in this advisory.

Script Injection:
There is a script injection issue within Vanilla that may allow
for a malicious user to gain admin credentials via cookie theft.
The problem is a result of the "Picture", "Icon", and Label => Value
pairs within the user account information not being properly escaped.
It seems that only strip_tags is used, which is not sufficient. All
developers need not forget that if the user supplied data is being
placed within a tag, as parameters, then the htmlspecialchars
function or a similar equivalent must be used so that quotes are
properly escaped. Otherwise we can inject additional parameters in
to the affected tag like in the example shown below.

test" onclick=alert(document.cookie); "

By entering the above text in to one of the previously mentioned
vulnerable fields an attacker can successfully have the javascript
execute in the context of the admin's browser whenever the affected
field is clicked.

Solution:
The Vanilla developers have released an updated version of Vanilla
which resolves the previously mentioned. Vanilla 1.1.5 RC 1 can be
found at the following url

http://lussumo.com/community/discussion/8559/vanilla-115-release-candida
te-1/

Credits:
James Bercegay of the GulfTech Security Research Team

Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00126-08192008