Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
How Secure is Vanilla?
Login from computer A. Login from computer B. Change password. Both stay logged in. Create a Vanilla install in another folder on your domain. Login. Switch to the first install.Post. User posts as if they were a different user - all it took was the cookie with the right user ID. Now imagine someone purposefully doing this (it's not hard to spoof a domain). I really think authentication should be taken a little more seriously.
This discussion has been closed.