Vanilla forums open source software vulnerable to rce, host header injection vulnerability threatpost the first stop for security news electricity physics pdf


Golunski reported the issues to Vanilla Forums in January and while a support team acknowledged his reports, he’s experienced five months of silence from the company since, something that prompted him to finally disclose the vulnerabilities Thursday via his service.

Golunski says the most concerning vulnerability, the RCE (CVE-2016-10033) stems from a PHPMailer vulnerability he disclosed last December. An attacker could remotely exploit the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header.

Russell told Threatpost Thursday Vanilla Forums had originally earmarked the software’s PHPMailer library for an update after Golunski contacted the company. Russell acknowledged that a workflow error caused developers to miss following through with a new public release however. The company is planning on rushing a fix currently.

“We will expedite said release now, as we would have done had any followup been made by Golunski,” Russell said, “Again, our cloud service was not vulnerable, having naturally received an update to PHPMailer last year as part of our transition to Composer-based dependencies.”

The issue stems from the fact that the forum software uses user-supplied HTTP HOST header when sending emails from the host on which the forum was installed. That means an attacker could use HTTP HOST header to set the email domain to an arbitrary host.

“The resulting email will have the sender’s address set to noreply@attackers_server. The password reset link will also contain the attacker’s server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link,” Golunski wrote Thursday.

According to Russell, when Vanilla Forums responded to Golunski in January it told him the issue would take some time to fix due to the “complexity of unwinding the use of this server variable without breaking the myriad scenarios it can be used for in open source environments.”

“Golunski had expressed a more simplistic view of the issue and was openly impatient with us,” Russell said, “We received no further communication from the researcher after our explanation and request for time, nor prior to its publication.”

“We believe these publications were hostile to the users of our free and open source software,” Russell said, “Both the updated version of PHPMailer and the potentially breaking change to the use of HTTP_HOST will shortly be made available in a new open source version, Vanilla 2.3.1. The same outcome could have been achieved with sufficient communication or warning.”

Golunski hinted at the vulnerabilities in Vanilla Forums back in December but didn’t name the software. When he disclosed the initial PHPMailer bug the researcher mentioned that he had developed an unauthenticated RCE exploit for “a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation.”

“The exploits and techniques prove that these type of vulnerabilities could be exploited by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address,” Golunski told Threatpost Thursday, “This adds to the originally presented attack surface of contact forms that take user input including From/Sender address.”