Responsible disclosure helps to put vulnerabilities on ice

Community forum software provider Vanilla Forums has patched a serious vulnerability disclosed through its bug bounty program.

Researcher Steven Seeley found four remote code execution (RCE) flaws in the Vanilla Forums platform, including one that could be exploited by external hackers not even logged into targeted systems.

“One of the bugs was unauthenticated remote code execution, basically as bad as it gets – critical rating on Windows, high risk rating on Linux,” Seeley tells The Daily Swig. “The others were remote code execution that required authentication, but that could have been bypassed.”

The critical RCE flaw could allow an unauthenticated attacker to inject a serialized payload into a PHP archive file and trigger read access to it via an unprotected getimagesize() command.

The attacker could then deserialize untrusted data and gain remote code execution. Users of Vanilla Forums’ technology include IT firms including Acer and ZTE as well as Visit Scotland, among others.

The vulnerabilities were revealed via a bug bounty program run by HackerOne.

“From our perspective, [the bug bounty program] has been extremely successful and has resulted in the discovery of several vulnerabilities, all of which have been patched,” a Vanilla Forums spokesperson tells The Daily Swig.

“Thanks to the ongoing efforts of security researchers within the HackerOne community, we have paid out five figures in bounties so far.”

“The program has helped us identify vulnerabilities missed by our own team and by security research firms that audit our codebase from time to time. We see the program as an important part of our security program and product quality efforts.”

Seeley, however, held some concerns about the way the company handled the matter.

“I was unhappy that they tried to hide that vulnerabilities even existed and that they do not track vulnerabilities publicly for end users,” he says. “They do not request CVEs and they hide commit messages for security patches.”

The Vanilla spokesperson says the company’s standing policy is to always permit responsible disclosure of all vulnerabilities discovered through the program.

“That said, Vanilla is an open source product with a wide and varied user base, so when we handle these vulnerabilities we try to keep those users' safety in mind,” they noted.

“Any vulnerability disclosed will have already been patched, but we also try to provide a reasonable delay between patches and disclosures to give our users the time to upgrade.”

More information on the Vanilla Forums flaws can be found on Seeley’s technical blog.