Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Remote cross-site scripting (XSS) attack vulnerability in FirstLastNames 1.3.2 Plugin Fixed?

edited May 2014 in Vanilla 2.0 - 2.8

In my search for a possible GitHub repository for FirstLastNames plugin I turned up instead a page of search results almost all about a vulnerability in the plugin that was identified a month after it latest release (date of the finding May 2012; last update for the plugin April 2012). I found it best described here: http://50.97.85.250-static.reverse.softlayer.com/show/osvdb/82081

It is old, but I couldn't find anything in Vanilla forums addressing this possible vulnerability, so I thought I would double check and make sure it is known, and is no longer a problem.

This page http://www.farlight.org/index.html?author=Henry---Hoggard seemed to give a way to test the vulnerability.

QUOTE FROM POST ON http://www.farlight.org/index.html?author=Henry---Hoggard

# Title: Vanilla FirstLastNames 1.3.2 Plugin Persistant XSS Vulnerability
# Date: 18/5/12
# Author: Henry Hoggard
# Author URL: henryhoggard.co.uk
# Author Twitter: @henryhoggard
# Software: Vanilla Version 2.0.18.4 + FirstLastNames 1.3.2

http://vanillaforums.org/addon/firstlastnames-plugin

# http://vanillaforums.org
#############################################################

On Edit your account enter your XSS String in either the first name or last name field.
Then if a user visits your page the XSS will execute.

http://target.tld/index.php?p=/profile/myprofile/1/user

XSS:
<script>alert('x')</script>

#############################################################

http://henryhoggard.co.uk
Tagged:

Comments

  • peregrineperegrine MVP
    edited May 2014

    title of discussion should be NOT fixed.

    it may not be known until you mentioned it. good find.

    and yes I can confirm, it is still vulnerable in version 1.3.2

    not an answer to your question, but there is a plugin called profile extender. where you could add what ever field you want to the profile, in lieu of this plugin until it is fixed.

    apparently first and last name needs some validation.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • jspautschjspautsch Themester ✭✭✭

    Snap, will see if I can get this fixed. I assumed that by using Vanilla's built-in form functions it would handle common validation scenarios.

  • x00x00 MVP
    edited May 2014

    You are pulling direct from the database, and outputting it you can't assume it would sanitize on the client side, it is not psychic.

    use Gnd_Format::Text();

    grep is your friend.

Sign In or Register to comment.