phpBB Server Side Request Forgery Vulnerability

Project Description

The “Remote Avatar” function in phpBB allows an attacker to perform server-side request forgery (SSRF) attacks if the “Remote Avatar” functions is enabled.


 

Vendor description

“phpBB is a free flat-forum bulletin board software solution that can be usedto stay in touch with a group of people or can power your entire website. Withan extensive database of user-created extensions and styles databasecontaining hundreds of style and image packages to customise your board, youcan create a very unique forum in minutes.”

Source: https://www.phpbb.com/

 

Business recommendation

The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software.

 

Vulnerability overview/description

The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application’s “Remote Avatar” function.

 

Proof of concept

This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited.

  • URL: http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar
  • METHOD: POST
  • PARAMETER: avatar_remote_url
  • PAYLOAD : http://$DOMAIN:$PORT/x.jpg

 

Vulnerable / tested versions

phpBB version 3.2.0 has been tested. This version was the latestat the time the security vulnerability was discovered.

 

Vendor contact timeline

2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.

 

Solution

Upgrade to phpBB 3.2.1

For further information see:
https://www.phpbb.com/community/viewtopic.php?f=14&p=14782136

 

Workaround

none

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Jasveer Singh / @2017

 

Project Details

  • TitleServer Side Request Forgery Vulnerability
  • ProductphpBB
  • Vulnerable version3.2.0
  • Fixed version--
  • CVE number--
  • ImpactMedium
  • Homepagehttps://www.phpbb.com/
  • Found2017-05-21
  • ByJasveer Singh (Office Kuala Lumpur) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back