Five months ago, Legal Hackers’ security researcher Dawid Golunski discovered a couple of critical zero-day vulnerabilities on Vanilla, an open source software popularly used to build forums.
Vanilla is currently in use in over 500,000 forums on the internet, making these vulnerabilities even more dangerous.
The Polish security researcher discovered that the two vulnerabilities—a host header injection (CVE-2016-10073) and an RCE (CVE-2016-10033)—could allow unauthenticated remote access by attackers, which could compromise the hundreds of thousands of websites that are currently using the most recent stable versions Vanilla Forums 2.3 and earlier versions.
Golunski’s immediate course of action after stumbling upon the vulnerabilities was to report them to Vanilla Forums. However, except for a brief acknowledgment by a support team, no other response came his way, prompting him to finally make the announcement himself via an ExploitBox.io service belonging to him.
The Remote Code Execution (RCE) Vulnerability
Golunski blames the existence of the vulnerabilities to Vanilla Forum’s use of exposed yet popularly used open source PHP libraries.
This vulnerable PHPMailer version is technically the reason why the vulnerabilities pose such a threat to the open source forum software.
Months later when a senior developer at the software company called Lincoln Russell was reached for comment, he mentioned that the flawed PHPMailer version had been earmarked for an update after Golunski contacted them.
But a workflow error had prevented the company from rolling out a public release.
Following the security researcher’s announcement, however, Vanilla Forums now has plans to unveil a fix, albeit a rushed one, in the coming days.
The security researcher considers the RCE (CVE-2016-10033) vulnerability to be critical since it enables the remote execution of arbitrary code in the web server’s context, thereby making it possible to compromise the web application that is being targeted.
Alongside the detailed report, Golunski also released a proof-of-concept video to demonstrate how the PHPMailer exploit made even the latest software versions vulnerable to remote attacks, especially if the attacker combined it with the host header injection (CVE-2016-10073).
Even when hosted on the Apache web server where several other name-based vhosts were enabled, Golunski explained that the vulnerability could still be exploited on the software—whether it was the default vhost or not.
The Host Header Injection Vulnerability
The second unpatched vulnerability in the Vanilla Forums software, as Golunski discovered, was a lot like a previously discovered WordPress vulnerability.
It mimics a technique that can be independently deployed by an attacker to initiate a password reset process. The host header injection vulnerability could be used to hijack targeted admin accounts using a spoofed HTTP request that has a custom HOST header.
The second of the two vulnerabilities, as Golunski disclosed earlier, could be used to carry out attacks such as Web-cache poisoning and the aforementioned remote execution of arbitrary code.
Vulnerabilities Affect Versions 2.3 and Earlier
The Polish researcher believes that the vulnerabilities he discovered affect Vanilla Forum’s earlier versions all the way to their most recent version, 2.3. He has suggested a quick fix for one of the vulnerabilities.
To prevent the host header injection vulnerability from being exploited, he recommended that the administrator of any website using the open source forum software to designate a predetermined value for the sender’s email address, which should remain unchanged in order to prevent the forum software from utilizing the HOST header.
When reached for comment, Russell specified that the vulnerabilities, although relevant, only affected their open source products.
As such, their cloud customers were in no way at risk of suffering from attacks based on the exploitation of the two vulnerabilities.
Announcing Patches for the Two Vulnerabilities
Nearly a week after Golunski made his announcement public, Vanilla Forums announced that they had patched the vulnerabilities in their latest release—although the patches will only benefit their paying cloud customers.
Users of the free open source forum software are still susceptible to attacks based on the exploitation of the two vulnerabilities.
To prevent this, users have been advised to upgrade to the latest release, which is Vanilla version 2.3.1.