0-Day Flaws Inwards Vanilla Forums Allow Remote Attackers Hack Websites

H5N1 safety researcher has publicly disclosed ii critical zero-day vulnerabilities inward Vanilla Forums, an opened upwardly origin software that powers give-and-take on over 500,000 websites, which could allow unauthenticated, remote attackers to fully compromise targeted websites easily.

Discovered yesteryear Polish safety researcher Dawid Golunski of Legal Hackers, ii split unpatched vulnerabilities, a remote code execution (CVE-2016-10033) in addition to host header injection (CVE-2016-10073), comport upon the latest version of Vanilla Forums 2.3, leaving hundreds of thousands of websites in addition to their visitors vulnerable to diverse hacking attacks.

Vanilla Forums: Remote Code Execution Flaw

According to Golunski, both vulnerabilities technically be because Vanilla Forum is yet using a vulnerable version of PHPMailer, 1 of the almost pop opened upwardly origin PHP libraries used to shipping emails.

Last twelvemonth Golunski reported a critical remote code execution flaw (CVE-2016-10033) inward PHPMailer library that allows an assailant to remotely execute arbitrary code inward the context of the spider web server in addition to compromise the target spider web application.

In a proof-of-concept video, Golunski demonstrated that the same PHPMailer exploit besides makes the Vanilla Forums vulnerable, in addition to if used inward combination alongside host header injection, it allows attackers to inject arbitrary commands in addition to payloads passed inside the HOST header.

"It should live on noted that this vulnerability tin yet live on exploited fifty-fifty if Vanilla software is hosted on Apache spider web server alongside several name-based vhosts enabled, in addition to despite non beingness the default vhost," the researcher explained.

Vanilla Forums: Host Header Injection Flaw

The Host Header Injection vulnerability inward Vanilla forum tin besides live on independently used to hijack user accounts, let's tell admin, yesteryear sending a spoofed HTTP asking alongside a custom HOST header (for instance attacker-mxserver.com), piece initiating a password reset procedure for a targeted admin user.

This technique besides plant inward a like agency equally the Wordpress flaw, Golunski disclosed but final week, allowing attackers to gain access to user accounts, "carrying Web-cache poisoning attacks, in addition to inward some instances, execute arbitrary code."

Golunski reported the vulnerabilities to the Vanilla Forums inward Jan this year. The companionship acknowledged his reports but went mum for some 5 months, which made him become populace alongside his findings.

The researcher confirmed both the flaws yet be inward the almost recent, stable version 2.3 of Vanilla Forums, in addition to believes that older versions of the forum software are besides vulnerable.

Until the companionship fixes the issue, equally a temporary mitigation, Golunski advises website administrator to laid the sender's electronic mail address to a predefined static value inward club to block the Vanilla Forums from using the HOST header.

Update: Vanilla Forums fixed the reported vulnerabilities final night, in addition to said the issues alone comport upon its gratuitous in addition to opened upwardly origin product, adding "neither of these vulnerabilities comport upon our cloud customers" at vanillaforums.com, "nor were they at the fourth dimension of their publication."

Users of its gratuitous in addition to opened upwardly origin software are strongly recommended to update their Vanilla Forums software to the latest opened upwardly origin version, Vanilla 2.3.1.

Share This :