PhpBB Server Side Request Forgery Vulnerability

Title

Server Side Request Forgery Vulnerability

Product

phpBB

Vulnerable Version

3.2.0

Fixed Version

-

CVE Number

-

Impact

medium

Found

21.05.2017

By

Jasveer Singh (Office Kuala Lumpur) | SEC Consult Vulnerability Lab

The “Remote Avatar” function in phpBB allows an attacker to perform server-side request forgery (SSRF) attacks if the “Remote Avatar” functions is enabled.

Vendor Description

“phpBB is a free flat-forum bulletin board software solution that can be usedto stay in touch with a group of people or can power your entire website. Withan extensive database of user-created extensions and styles databasecontaining hundreds of style and image packages to customise your board, youcan create a very unique forum in minutes.”

Source: https://www.phpbb.com/

 

Business Recommendation

The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software.

 

Vulnerability Overview/ Description

The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application’s “Remote Avatar” function.

 

Proof Of Concept

This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited

URL: http:// $DOMAIN/ucp.php?i=ucp_profile&mode=avatar
METHOD: POST
PARAMETER: avatar_remote_url
PAYLOAD : http:// $DOMAIN:$PORT/x.jpg

Vulnerable / Tested Versions

phpBB version 3.2.0 has been tested. This version was the latestat the time the security vulnerability was discovered.