Session Token In URL

PhpBB sends the session token via a GET parameter in the URL. Due to the way phpbb works, having the session ID is not enough for a remote attacker to gain access to the application since the session tokens are tied to an IP address. However, with knowledge of the administrator’s session ID, the custom bbcode feature in the Administration Control Panel allows for CSRF attacks which would allow an attacker to submit a malicious bbcode on behalf of the administrator. The malicious bbcode contains a stored-XSS payload that would retrieve the anti-CSRF token and perform unwanted actions in the context of the administrator.