search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Vanilla Forums version 2.1.a26 contains a parameter manipulation vulnerability

Vulnerability Note VU#611988

Original Release Date: 2012-11-12 | Last Revised: 2012-11-12

Overview

Vanilla Forums version 2.1.a26 and possibly other versions is vulnerable to parameter manipulation via the "edit profile" page of authenticated users.

Description

CWE-280: Improper Handling of Insufficient Permissions or Privileges

Vanilla Forums version 2.1.a26 and possibly other versions are vulnerable to parameter manipulation via the "edit profile" page of authenticated users. An attacker with the ability to man-in-the-middle the connection using a proxy can alter the "UserID" of the user they wish to change allowing them to alter any profile setting and even change the email address.

Impact

An authenticated attacker can alter any profile setting including changing the email address for any user on the forum.

Solution

Update

The vendor has stated this vulnerability has been addressed in version 2.1a32. Users are advised to update to version 2.1a32 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information

611988
 
Expand all

VanillaForums Affected

Notified:  September 26, 2012 Updated: November 12, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has stated this vulnerability has been addressed in version 2.1a32. Users are advised to update to version 2.1a32 or higher.


CVSS Metrics

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:N/I:C/A:N
Temporal 4.8 E:U/RL:U/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://vanillaforums.org/download

Acknowledgements

Thanks to Phillip Gonzalez for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-4954
Date Public: 2012-11-12
Date First Published: 2012-11-12
Date Last Updated: 2012-11-12 19:06 UTC
Document Revision: 13

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis