Popular open source forum software suffers from vulnerabilities that could let an attacker gain access to user accounts, carry out web-cache poisoning attacks, and in some instances, execute arbitrary code.
Legal Hackers‘ Dawid Golunski found the vulnerabilities–a host header injection and an unauthorized remote code execution vulnerability–in software which is developed by Vanilla Forums.
Golunski reported the issues to Vanilla Forums in January and while a support team acknowledged his reports, he’s experienced five months of silence from the company since, something that prompted him to finally disclose the vulnerabilities Thursday via his ExploitBox.io service.
The researcher confirmed the vulnerabilities exist in the most recent, stable version (2.3) of Vanilla Forums. He presumes older versions of the forum software are also vulnerable.
When reached Thursday, Lincoln Russell, a senior developer at Vanilla Forums stressed the vulnerabilities, which are in the middle of being fixed, only affect the company’s free and open source product.
Golunski says the most concerning vulnerability, the RCE (CVE-2016-10033) stems from a PHPMailer vulnerability he disclosed last December. An attacker could remotely exploit the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header.
Since in this instance the HOST header is used to form the sender email, the address can passed to the PHPMailer library as the sender address in a line of code, $this->PhpMailer->Sender = $SenderEmail.
The forum software still uses version 5.1 of PHPMailer, which exposes it to the vulnerability, Golunski says.
Golunski demonstrated in a video, posted Thursday, how to get a shell from a site running Vanilla Forums 2.3. By combining the RCE with the host header injection vulnerability he found, Golunski shows how to compromise site.
Russell told Threatpost Thursday Vanilla Forums had originally earmarked the software’s PHPMailer library for an update after Golunski contacted the company. Russell acknowledged that a workflow error caused developers to miss following through with a new public release however. The company is planning on rushing a fix currently.
“We will expedite said release now, as we would have done had any followup been made by Golunski,” Russell said, “Again, our cloud service was not vulnerable, having naturally received an update to PHPMailer last year as part of our transition to Composer-based dependencies.”
Until a fix is pushed Golunski is encouraging users to preset the sender’s support email address to a static value to prevent the dynamic creation of an email address, or the use of the HOST header, as a temporary mitigation.
Golunski says the second issue, the host header injection vulnerability (CVE-2016-10073) also affects version 2.3 of the software.
The issue stems from the fact that the forum software uses user-supplied HTTP HOST header when sending emails from the host on which the forum was installed. That means an attacker could use HTTP HOST header to set the email domain to an arbitrary host.
It would require user interaction but if exploited, it’s possible the bug could help an attacker intercept a password reset hash and gain access to a victim’s account.
An attacker would have send the victim an email tricking them into clicking through a password reset link, he says.
“The resulting email will have the sender’s address set to noreply@attackers_server. The password reset link will also contain the attacker’s server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link,” Golunski wrote Thursday.
It’s possible the vulnerability could also lead to web-cache poisoning if the HOST header is used to form links in web responses Golunski says.
According to Russell, when Vanilla Forums responded to Golunski in January it told him the issue would take some time to fix due to the “complexity of unwinding the use of this server variable without breaking the myriad scenarios it can be used for in open source environments.”
Golunksi, according to Russell, failed to alert the company he was planning to publish his disclosure Thursday.
“Golunski had expressed a more simplistic view of the issue and was openly impatient with us,” Russell said, “We received no further communication from the researcher after our explanation and request for time, nor prior to its publication.”
Russell added that a developer at Vanilla Forums had already been assigned to and was in the middle of a general-case fix for the vulnerability and that Golunski’s disclosure has forced its hand.
“We will issue a new version that simply strips its use, making it inappropriate for some setups which will also likely confuse the messaging around its release. The HTTP_HOST vulnerability never effected our cloud service,” Russell said.
“We believe these publications were hostile to the users of our free and open source software,” Russell said, “Both the updated version of PHPMailer and the potentially breaking change to the use of HTTP_HOST will shortly be made available in a new open source version, Vanilla 2.3.1. The same outcome could have been achieved with sufficient communication or warning.”
Golunski hinted at the vulnerabilities in Vanilla Forums back in December but didn’t name the software. When he disclosed the initial PHPMailer bug the researcher mentioned that he had developed an unauthenticated RCE exploit for “a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation.”
Both the Vanilla Forums vulnerabilities and a similar RCE vulnerability in WordPress 4.6 Golunski disclosed last week both relate to PHPMailer and PHP mail() function injection.
“The exploits and techniques prove that these type of vulnerabilities could be exploited by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address,” Golunski told Threatpost Thursday, “This adds to the originally presented attack surface of contact forms that take user input including From/Sender address.”
*This article was updated at 6:50 p.m. EST to include statements from Vanilla Forums