cbcvebase.
CVE-2016-10073
published 2017-05-23

CVE-2016-10073: The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and…

PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
83.61%
99.7th percentile
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.

Affected

1 ranges
VendorProductVersion rangeFixed in
vanillaforumsvanilla<= 2.3.0

Detection & IOCsextracted from sources · hover to see the quote

pathlibrary/core/class.email.php
url/entry/passwordrequest
  • Monitor HTTP requests to /entry/passwordrequest where the Host header contains shell commands, IP addresses, or non-domain values — a crafted Host header is the attack vector for CVE-2016-10073.
  • Alert on POST requests to /entry/passwordrequest containing the parameter pattern 'hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password' — this is the exact POST body used in the exploit.
  • Detect outbound connections from the web server to attacker-controlled hosts on port 1337, indicative of the reverse shell callback stage of this exploit chain.
  • Alert on creation or execution of /tmp/rce on the web server host — the exploit drops and executes a shell payload at this path.
  • Inspect the Host header in password-reset requests for embedded bash TCP redirection syntax (e.g. /dev/tcp/), which is used to establish the reverse shell in this exploit.
  • ·The vulnerability exists only in Vanilla Forums versions before 2.3.1; patched installations are not affected. Verify the deployed version before triaging alerts.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.