phpBB 3.2.0 Server Side Request Forgery

title: Server Side Request Forgery Vulnerability
product: phpBB
vulnerable version: 3.2.0
fixed version: 3.2.1
CVE number:
impact: Medium
found: 2017-05-21
by: Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

Vendor description:
“phpBB is a free flat-forum bulletin board software solution that can be used
to stay in touch with a group of people or can power your entire website. With
an extensive database of user-created extensions and styles database
containing hundreds of style and image packages to customise your board, you
can create a very unique forum in minutes.”


Business recommendation:
The patch should be installed immediately. Furthermore, SEC Consult recommends
to perform a thorough security review of this software.

Vulnerability overview/description:
The phpBB forum software is vulnerable to the server side request forgery
(SSRF) attack. An attacker is able to perform port scanning, requesting
internal content and potentially attacking such internal services via the
web application’s “Remote Avatar” function.

Proof of concept:
This vulnerability can be exploited by an attacker with a registered account
as low as a normal account. If the web application enables remote avatar, this
feature could be abused by an attacker to perform port scanning. Below is the
example on how the SSRF issue can be exploited.

URL       : http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar
PARAMETER  : avatar_remote_url
PAYLOAD   : http://$DOMAIN:$PORT/x.jpg

Vulnerable / tested versions:
phpBB version 3.2.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.

Vendor contact timeline:
2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the
latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.

Upgrade to phpBB 3.2.1

For further information see:

本文固定链接: | 90' s Blog|关注信息安全

该日志由 unhonker 于2017年08月07日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: phpBB 3.2.0 Server Side Request Forgery | 90' s Blog|关注信息安全

phpBB 3.2.0 Server Side Request Forgery:等您坐沙发呢!


您必须 [ 登录 ] 才能发表留言!