0-Day Flaws in Vanilla Forums Let Remote Attackers Hack Websites

A security researcher has publicly disclosed two critical zero-day vulnerabilities in Vanilla Forums, an open source software that powers discussion on over 500,000 websites, which could allow unauthenticated, remote attackers to fully compromise targeted websites easily.

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, two separate unpatched vulnerabilities, a remote code execution (CVE-2016-10033) and host header injection (CVE-2016-10073), affect the latest version of Vanilla Forums 2.3, leaving hundreds of thousands of websites and their visitors vulnerable to various hacking attacks.

Vanilla Forums: Remote Code Execution Flaw

According to Golunski, both vulnerabilities technically exist because Vanilla Forum is still using a vulnerable version of PHPMailer, one of the most popular open source PHP libraries used to send emails.

Last year Golunski reported a critical remote code execution flaw (CVE-2016-10033) in PHPMailer library that allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

In a proof-of-concept video, Golunski demonstrated that the same PHPMailer exploit also makes the Vanilla Forums vulnerable, and if used in combination with host header injection, it allows attackers to inject arbitrary commands and payloads passed within the HOST header.

> “It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost,” the researcher explained.

Vanilla Forums: Host Header Injection Flaw

The Host Header Injection vulnerability in Vanilla forum can also be independently used to hijack user accounts, let’s say admin, by sending a spoofed HTTP request with a custom HOST header (for example attacker-mxserver.com), while initiating a password reset process for a targeted admin user.

This technique also works in a similar manner as the Wordpress flaw, Golunski disclosed just last week, allowing attackers to gain access to user accounts, “carrying Web-cache poisoning attacks, and in some instances, execute arbitrary code.”

Golunski reported the vulnerabilities to the Vanilla Forums in January this year. The company acknowledged his reports but went mum for around five months, which made him go public with his findings.

The researcher confirmed both the flaws still exist in the most recent, stable version 2.3 of Vanilla Forums, and believes that older versions of the forum software are also vulnerable.

Until the company fixes the issue, as a temporary mitigation, Golunski advises website administrator to set the sender’s email address to a predefined static value in order to block the Vanilla Forums from using the HOST header.

**Update:**Vanilla Forums fixed the reported vulnerabilities last night, and said the issues only affect its free and open source product, adding “neither of these vulnerabilities affect our cloud customers” at vanillaforums.com, “nor were they at the time of their publication.”

Users of its free and open source software are strongly recommended to update their Vanilla Forums software to the latest open source version, Vanilla 2.3.1.