phpBB 3.2.0 Server Side Request Forgery

Type packetstorm
Reporter Jasveer Singh
Modified 2017-08-05T00:00:00


                                            `SEC Consult Vulnerability Lab Security Advisory < 20170804-0 >  
title: Server Side Request Forgery Vulnerability  
product: phpBB  
vulnerable version: 3.2.0  
fixed version: 3.2.1  
CVE number:  
impact: Medium  
found: 2017-05-21  
by: Jasveer Singh (Office Kuala Lumpur)  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
Vendor description:  
"phpBB is a free flat-forum bulletin board software solution that can be used  
to stay in touch with a group of people or can power your entire website. With  
an extensive database of user-created extensions and styles database  
containing hundreds of style and image packages to customise your board, you  
can create a very unique forum in minutes."  
Business recommendation:  
The patch should be installed immediately. Furthermore, SEC Consult recommends  
to perform a thorough security review of this software.  
Vulnerability overview/description:  
The phpBB forum software is vulnerable to the server side request forgery  
(SSRF) attack. An attacker is able to perform port scanning, requesting  
internal content and potentially attacking such internal services via the  
web application's "Remote Avatar" function.  
Proof of concept:  
This vulnerability can be exploited by an attacker with a registered account  
as low as a normal account. If the web application enables remote avatar, this  
feature could be abused by an attacker to perform port scanning. Below is the  
example on how the SSRF issue can be exploited.  
URL : http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar  
PARAMETER : avatar_remote_url  
PAYLOAD : http://$DOMAIN:$PORT/x.jpg  
Vulnerable / tested versions:  
phpBB version 3.2.0 has been tested. This version was the latest  
at the time the security vulnerability was discovered.  
Vendor contact timeline:  
2017-05-23: Contacting vendor through security bug tracker.  
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.  
2017-07-12: Vendor requesting extension for deadline of 5 days from the  
latest possible release date.  
2017-07-17: Patch released by the vendor.  
2017-08-04: Public release of the advisory.  
Upgrade to phpBB 3.2.1  
For further information see:  
Advisory URL:  
SEC Consult Vulnerability Lab  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
Interested to work with the experts of SEC Consult?  
Send us your application  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices  
Mail: research at sec-consult dot com  
EOF Jasveer Singh / @2017