Forum software used by companies such as Hootsuite, Adobe, Patagonia, and Harvard University suffers from vulnerabilities that could let an attacker gain access to user accounts, carry out web-cache poisoning attacks, and in some instances, execute arbitrary code.
Legal Hackers‘ Dawid Golunski found the vulnerabilities, a host header injection and an unauthorized remote code execution vulnerability, in software which is developed by Vanilla Forums.
Golunski reported the issues to Vanilla Forums in January and while a support team acknowledged his reports, he’s experienced five months of silence from the company since, something that prompted him to finally disclose the vulnerabilities Thursday via his ExploitBox.io service.
The researcher confirmed the vulnerabilities exist in the most recent, stable version (2.3) of Vanilla Forums. He presumes older versions of the forum software are also vulnerable.
According to Vanilla Forums’ site, the company’s software is also used by virtual reality company Oculus, automotive information site Edmunds, and the personal finance company SoFi.
Golunski says the most concerning vulnerability, the RCE (CVE-2016-10033) stems from a PHPMailer vulnerability he disclosed last December. An attacker could remotely exploit the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header.
Since in this instance the HOST header is used to form the sender email, the address can passed to the PHPMailer library as the sender address in a line of code, $this->PhpMailer->Sender = $SenderEmail.
The forum software still uses version 5.1 of PHPMailer, which exposes it to the vulnerability, Golunski says.
He demonstrates in a video, posted Thursday, how to get a shell from a site running Vanilla Forums 2.3. By combining the RCE with the host header injection vulnerability he found, Golunski shows how to compromise site.
As there’s currently no fix available, Golunski says as quick mitigation users can preset the sender’s support email address to a static value to prevent the dynamic creation of an email address, or the use of the HOST header.
Golunski says the second issue, the host header injection vulnerability (CVE-2016-10073) also affects version 2.3 of the software.
The issue stems from the fact that the forum software uses user-supplied HTTP HOST header when sending emails from the host on which the forum was installed. That means an attacker could use HTTP HOST header to set the email domain to an arbitrary host.
It would require user interaction but if exploited, it’s possible the bug could help an attacker intercept a password reset hash and gain access to a victim’s account.
An attacker would have send the victim an email tricking them into clicking through a password reset link, he says.
“The resulting email will have the sender’s address set to noreply@attackers_server. The password reset link will also contain the attacker’s server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link,” Golunski wrote Thursday.
It’s possible the vulnerability could also lead to web-cache poisoning if the HOST header is used to form links in web responses Golunski says.
Golunski hinted at the vulnerabilities in Vanilla Forums back in December but didn’t name the software. When he disclosed the initial PHPMailer bug the researcher mentioned that he had developed an unauthenticated RCE exploit for “a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation.”