Unpatched 0-Days in Vanilla Forums Let Remote Attackers Hack Websites
A security researcher has publicly disclosed two critical zero-day vulnerabilities in Vanilla Forums, an open source software that powers discussion on over 500,000 websites, which could allow unauthenticated, remote attackers to fully compromise targeted websites easily.
Discovered by Polish security researcher
Dawid Golunskiof Legal Hackers, two separate unpatched vulnerabilities, a remote code execution (
CVE-2016-10033) and host header injection (
CVE-2016-10073), affect the latest version of Vanilla Forums 2.3, leaving hundreds of thousands of websites and their visitors vulnerable to various hacking attacks.
Vanilla Forums: Remote Code Execution Flaw
According to Golunski, both vulnerabilities technically exist because Vanilla Forum is still using a
vulnerable version of PHPMailer, one of the most popular open source PHP libraries used to send emails.
Last year Golunski reported a critical remote code execution flaw (
CVE-2016-10033) in PHPMailer library that allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.
In a proof-of-concept video, Golunski demonstrated that the same PHPMailer exploit also makes the Vanilla Forums vulnerable, and if used in combination with host header injection, it allows attackers to inject arbitrary commands and payloads passed within the HOST header.
"It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost," the researcher explained.
Vanilla Forums: Host Header Injection Flaw
The
Host Header Injectionvulnerability in Vanilla forum can also be independently used to hijack user accounts, let's say admin, by sending a spoofed HTTP request with a custom HOST header (for example attacker-mxserver.com), while initiating a password reset process for a targeted admin user.
This technique also works in a similar manner as
the Wordpress flaw, Golunski disclosed just last week, allowing attackers to gain access to user accounts, "carrying Web-cache poisoning attacks, and in some instances, execute arbitrary code."
Golunski reported the vulnerabilities to the Vanilla Forums in January this year. The company acknowledged his reports but went mum for around five months, which made him go public with his findings.
The researcher confirmed both the flaws still exist in the most recent, stable version 2.3 of Vanilla Forums, and believes that older versions of the forum software are also vulnerable.
Until the company fixes the issue, as a temporary mitigation, Golunski advises website administrator to set the sender's email address to a predefined static value in order to block the Vanilla Forums from using the HOST header.
from The Hacker News http://ift.tt/2r0uQhz
