Discovered past times Polish safety researcher Dawid Golunski of Legal Hackers, ii dissever unpatched vulnerabilities, a remote code execution (CVE-2016-10033) together with host header injection (CVE-2016-10073), behavior on the latest version of Vanilla Forums 2.3, leaving hundreds of thousands of websites together with their visitors vulnerable to diverse hacking attacks.
Vanilla Forums: Remote Code Execution Flaw
According to Golunski, both vulnerabilities technically be because Vanilla Forum is yet using a vulnerable version of PHPMailer, i of the nigh pop opened upwards beginning PHP libraries used to ship emails.
Last twelvemonth Golunski reported a critical remote code execution flaw (CVE-2016-10033) inward PHPMailer library that allows an aggressor to remotely execute arbitrary code inward the context of the spider web server together with compromise the target spider web application.
"It should live on noted that this vulnerability tin yet live on exploited fifty-fifty if Vanilla software is hosted on Apache spider web server amongst several name-based vhosts enabled, together with despite non existence the default vhost," the researcher explained.
Vanilla Forums: Host Header Injection Flaw
The Host Header Injection vulnerability inward Vanilla forum tin besides live on independently used to hijack user accounts, let's state admin, past times sending a spoofed HTTP asking amongst a custom HOST header (for representative attacker-mxserver.com), piece initiating a password reset procedure for a targeted admin user.
This technique besides industrial plant inward a like mode every bit the Wordpress flaw, Golunski disclosed simply terminal week, allowing attackers to gain access to user accounts, "carrying Web-cache poisoning attacks, together with inward some instances, execute arbitrary code."
Golunski reported the vulnerabilities to the Vanilla Forums inward Jan this year. The society acknowledged his reports but went mum for some v months, which made him become populace amongst his findings.
The researcher confirmed both the flaws yet be inward the nigh recent, stable version 2.3 of Vanilla Forums, together with believes that older versions of the forum software are besides vulnerable.
Until the society fixes the issue, every bit a temporary mitigation, Golunski advises website administrator to laid the sender's e-mail address to a predefined static value inward lodge to block the Vanilla Forums from using the HOST header.
Update: Vanilla Forums fixed the reported vulnerabilities terminal night, together with said the issues alone behavior on its gratis together with opened upwards beginning product, adding "neither of these vulnerabilities behavior on our cloud customers" at vanillaforums.com, "nor were they at the fourth dimension of their publication."
Users of its gratis together with opened upwards beginning software are strongly recommended to update their Vanilla Forums software to the latest opened upwards beginning version, Vanilla 2.3.1.
