Vanilla Forum, a popular open source solution to build forums, is suffering from a serious vulnerability. The new security hole could let an attacker gain access to user accounts and carry out web-cache poisoning attacks.
Dawid Golunski from Legal Hackers first reported the vulnerability exists in Vanilla Forums. Golunski, Polish security expert, reveals that the forum solution is affected by a host header injection and unauthorised remote code execution vulnerability.
An attacker can gain remote access in Vanilla Forums to exploit the user data. Titled RCE (CVE-2016-10033), the vulnerability exists in a PHPMailer of the software. The attacker can leverage the HOST header and send web request where payload is passed. According to Golunski, Vanilla Forums is still using PHPMailer 5.1, which is exposed to the vulnerability.
The existence of the vulnerability was intimated back in January. But the support team behind Vanilla Forums has not fixed the issues yet. Moreover, the most recent version of Vanilla Forums also carries the same vulnerabilities.
Fix in the pipeline
According to Lincoln Russell of Vanilla Forums, the company has stressed the vulnerabilities and they will fixed soon. He claims that the vulnerabilities affect only free and open source products of the company. Moreover, Russell assures to expedite the new release and push an update at the earliest.
In the meantime, users are recommended to preset the sender’s support email address to a static value. This technique will prevent the dynamic creation of an email address and thus abandon access to the HOST header.
Update: Vanilla Forums has patched the vulnerability. Adrian Speyer, marketing manager of Vanilla Forums, has told Open Source For You that the impact was primarily to the open source users; hosted customers were remain unaffected.
This has been patched. Please read: https://open.vanillaforums.com/discussion/33498/critical-security-release-vanilla-2-3-1
Also to be clear, this impacted only open source, and none of our hosted customers were affected.