Data: CASIE
Trigger word:
hinted
Negative Trigger
from
vulnerabilities
that
could
let
an
attacker
gain
access
to
user
accounts
,
carry
out
web-cache
poisoning
attacks
,
and
in
some
instances
,
execute
arbitrary
code
.
Popular
open
source
forum
software
suffers
Vulnerability-related.DiscoverVulnerability
from
vulnerabilities
that
could
let
an
attacker
gain
access
to
user
accounts
,
carry
out
web-cache
poisoning
attacks
,
and
in
some
instances
,
execute
arbitrary
code
.
Legal
Hackers
‘
Dawid
Golunski
found
Vulnerability-related.DiscoverVulnerability
the
vulnerabilities
,
a
host
header
injection
and
an
unauthorized
remote
code
execution
vulnerability–in
software
which
is
developed
by
Vanilla
Forums
.
Golunski
reported
Vulnerability-related.DiscoverVulnerability
the
issues
to
Vanilla
Forums
in
January
and
while
a
support
team
acknowledged his reports
Vulnerability-related.DiscoverVulnerability
,
he
’
s
experienced
five
months
of
silence
from
the
company
since
,
something
that
prompted
him
to
finally
disclose
Vulnerability-related.DiscoverVulnerability
the
vulnerabilities
Thursday
via
his
ExploitBox.io
service
.
The
researcher
confirmed
Vulnerability-related.DiscoverVulnerability
the
vulnerabilities
exist in
Vulnerability-related.DiscoverVulnerability
the
most
recent
,
stable
version
(
2.3
)
of
Vanilla
Forums
.
He
presumes
Vulnerability-related.DiscoverVulnerability
older
versions
of
the
forum
software
are
also
vulnerable
Vulnerability-related.DiscoverVulnerability
.
When
reached
Thursday
,
Lincoln
Russell
,
a
senior
developer
at
Vanilla
Forums
stressed
the
vulnerabilities
,
which
are
in
the
middle
of
being fixed
Vulnerability-related.PatchVulnerability
,
only
affect
Vulnerability-related.DiscoverVulnerability
the
company
’
s
free
and
open
source
product
.
Golunski
says
Vulnerability-related.DiscoverVulnerability
the
most
concerning
vulnerability
,
the
RCE
(
CVE-2016-10033
)
stems
from
a
PHPMailer
vulnerability
he
disclosed
Vulnerability-related.DiscoverVulnerability
last
December
.
An
attacker
could remotely exploit
Vulnerability-related.DiscoverVulnerability
the
same
vulnerability
in
Vanilla
Forums
by
sending
a
web
request
in
which
a
payload
is
passed
within
the
HOST
header
.
Until
a
fix
is pushed
Vulnerability-related.PatchVulnerability
Golunski
is
encouraging
users
to
preset
the
sender
’
s
support
email
address
to
a
static
value
to
prevent
the
dynamic
creation
of
an
email
address
,
or
the
use
of
the
HOST
header
,
as
a
temporary
mitigation
.
Golunski
says
Vulnerability-related.DiscoverVulnerability
the
second
issue
,
the
host
header
injection
vulnerability
(
CVE-2016-10073
)
also
affects
Vulnerability-related.DiscoverVulnerability
version
2.3
of
the
software
.
The
issue
stems
from
the
fact
that
the
forum
software
uses
user-supplied
HTTP
HOST
header
when
sending
emails
from
the
host
on
which
the
forum
was
installed
.
That
means
an
attacker
could
use
HTTP
HOST
header
to
set
the
email
domain
to
an
arbitrary
host
.
It
would
require
user
interaction
but
if
exploited
Vulnerability-related.DiscoverVulnerability
,
it
’
s
possible
the
bug
could
help
an
attacker
intercept
Attack.Databreach
a
password
reset
hash
and
gain access
Attack.Databreach
to
a
victim
’
s
account
.
An
attacker
would
have send
Attack.Phishing
the
victim
an
email
tricking
Attack.Phishing
them
into
clicking
through
a
password
reset
link
,
he
says
.
“
The
resulting
email
will
have
the
sender
’
s
address
set
to
noreply
@
attackers_server
.
The
password
reset
link
will
also
contain
the
attacker
’
s
server
which
could
allow
the
attacker
to
intercept
the
hash
if
the
victim
user
clicked
on
the
malicious
link
,
”
Golunski
wrote
Thursday
.
It
’
s
possible
the
vulnerability
could
also
lead
to
web-cache
poisoning
if
the
HOST
header
is
used
to
form
links
in
web
responses
Golunski
says
Vulnerability-related.DiscoverVulnerability
.
According
to
Russell
,
when
Vanilla
Forums
responded
to
Golunski
in
January
it
told
him
the
issue
would
take
some
time
to
fix
Vulnerability-related.PatchVulnerability
due
to
the
“
complexity
of
unwinding
the
use
of
this
server
variable
without
breaking
the
myriad
scenarios
it
can
be
used
for
in
open
source
environments.
”
Golunski
hinted
Vulnerability-related.DiscoverVulnerability
at
the
vulnerabilities
in
Vanilla
Forums
back
in
December
but
didn
’
t
name
the
software
.
When
he
disclosed
Vulnerability-related.DiscoverVulnerability
the
initial
PHPMailer
bug
the
researcher
mentioned
that
he
had
developed
an
unauthenticated
RCE
exploit
for
“
a
popular
open-source
application
(
deployed
on
the
Internet
on
more
than
a
million
servers
)
as
a
PoC
for
real-world
exploitation.
”
Both
the
Vanilla
Forums
vulnerabilities
and
a
similar
RCE
vulnerability
in
WordPress
4.6
Golunski
disclosed
Vulnerability-related.DiscoverVulnerability
last
week
both
relate
to
PHPMailer
and
PHP
mail
(
)
function
injection
.
“
The
exploits
and
techniques
prove
that
these
type
of
vulnerabilities
could
be exploited
Vulnerability-related.DiscoverVulnerability
by
unauthenticated
attackers
via
server
headers
such
as
HOST
header
that
may
be
used
internally
by
a
vulnerable
application
to
dynamically
create
a
sender
address
,
”
Golunski
told
Threatpost
Thursday
,
“
This
adds
to
the
originally
presented
attack
surface
of
contact
forms
that
take
user
input
including
From/Sender
address
.
”