XenForo 1.5.x Remote Code Execution Vulnerability

1. ADVISORY INFORMATION
=======================
Product:        XenForo
Vendor URL:     xenforo.com
Type:           Code Injection [CWE-94]
Date found:     2016-12-09
Date published: 2016-12-15
CVSSv3 Score:   9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
CVE:            -


2. CREDITS
==========

This vulnerability was discovered and researched by indepent security 
expert Vishal Mishra.


3. VERSIONS AFFECTED
====================

XenForo 1.5.x versions prior to 1.5.11a. 
Older versions may be affected too but were not tested.


4. VULNERABILITY DETAILS
========================

The vulnerability allows a remote attacker to overwrite arbitrary PHP 
variables within the context of the vulnerable application. The 
vulnerability exists due to insufficient validation of user-supplied 
input in an HTTP cookie, thus allowing to read sensitive information
from the XenForo database like usernames and passwords. Since the 
affected script does not require an authentication, this 
vulnerability can be exploited by an unauthenticated attacker.


5. PROOF OF CONCEPT
===================

The following proof-of-concept exploit the vulnerable HTTP cookie
and execute the phpinfo() function:

Detailed proof of concept has been removed for this advisory.


6. SOLUTION
===========

Update to the latest version v1.5.11a


7. REPORT TIMELINE
==================

2016-12-09: Discovery of the vulnerability
2016-12-11: Notified vendor via contact address
2016-12-13: Vendor provides update
2016-12-13: Provided update fixes the reported issues
2016-12-13: Vendor publishes update
2016-12-15: Coordinated release of security advisory without proof of concept


8. DISCLAIMER
=============

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated 
in order to provide as accurate information as possible.