p Updated The popular Vanilla Forums software needs patching against a remote code execution zero-day first reported to the developers in December 2016.
Published by ExploitBox, the zero-day “can be exploited by unauthenticated remote attackers to execute arbitrary code and fully compromise the target application when combined with Host Header injection vulnerability CVE-2016-10073.”
The problem arises because Vanilla Forums inherits a bug in PHPMailer.
The mailer uses PHP's mail() function as its default transport, as discussed by Legal Hackers here.
The mail() function can then be used to call Sendmail, and here's where the problem arises, because along that chain, an attacker can inject extra parameters into Sendmail.
when passed to PHPMailer (and eventually to mail()) function would cause