The “Remote Avatar” function in phpBB allows an attacker to perform server-side request forgery (SSRF) attacks if the “Remote Avatar” functions is enabled.
“phpBB is a free flat-forum bulletin board software solution that can be usedto stay in touch with a group of people or can power your entire website. Withan extensive database of user-created extensions and styles databasecontaining hundreds of style and image packages to customise your board, youcan create a very unique forum in minutes.”
The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software.
The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application’s “Remote Avatar” function.
Proof of concept
This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited.
- URL: http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar
- METHOD: POST
- PARAMETER: avatar_remote_url
- PAYLOAD : http://$DOMAIN:$PORT/x.jpg
Vulnerable / tested versions
phpBB version 3.2.0 has been tested. This version was the latestat the time the security vulnerability was discovered.
Vendor contact timeline
2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.
Upgrade to phpBB 3.2.1
For further information see:
EOF Jasveer Singh / @2017
- TitleServer Side Request Forgery Vulnerability
- Vulnerable version3.2.0
- Fixed version--
- CVE number--
- ByJasveer Singh (Office Kuala Lumpur) | SEC Consult Vulnerability Lab