Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Flickrizer Exploit

NickENickE New
edited August 2006 in Vanilla 1.0 Help
As the Flickrizer extension does not validate any information it recieves from the rss file, it is easily possible to exploit this and insert js into an account page. For an example of this see my profile. You can see how it's done by viewing the rss 'feed': http://sirnot.googlepages.com/flickr.xml

Comments

  • Options
    nice :)
  • Options
    NickENickE New
    edited August 2006
    The FeedReader extension, by folletto, also seems to be vulnerable, although is probably less likely to be comprimised as the administrator is the one who chooses the feed url. For an example, if an item is constructed like the following, it will display a message box:<item> <title>Bla </a><script>alert('hi there');</script></title> <link>http://google.com/</link> </item> I am not sure if FlickrFeed suffers from this same vulnerability or not, as I do not know to what extent flickr will 'parse' the info in the php_serial formatted feed.
  • Options
    MarkMark Vanilla Staff
    Hmmm. Thanks for the heads up. I'll have to do a quick fix...
  • Options
    NickENickE New
    edited August 2006
    It'd probably be easiest to fix by replacing all instances of >, < and " with their html entity equivelents, then making sure urls have a valid protocol. But you'd also want to do something about end parenthesis in the thumbnail url, as people could break out of the url() function-thing and insert some js in the styling. Alternately you could add in qoutes around the url then replace single quotes in the url with entities...
  • Options
    MarkMark Vanilla Staff
    I was thinking about doing something like removing the need for the entire URL and just having them enter their id parameter from the rss querystring. Then I can just validate that value for number@letter## format like mine: 98748659@N00
This discussion has been closed.