“phpBB is a free flat-forum bulletin board software solution that can be usedto stay in touch with a group of people or can power your entire website. Withan extensive database of user-created extensions and styles databasecontaining hundreds of style and image packages to customise your board, youcan create a very unique forum in minutes.”
The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software.
Vulnerability Overview/ Description
The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application’s “Remote Avatar” function.
Proof Of Concept
This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited.
- URL: $DOMAIN/ucp.php
- METHOD: POST
- PARAMETER: avatar_remote_url
- PAYLOAD : http://http://$DOMAIN:$PORT/x.jpg
Vulnerable / Tested Versions
phpBB version 3.2.0 has been tested. This version was the latestat the time the security vulnerability was discovered.