A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators.
The flaw does not have an identifier and is trivial to exploit with a single HTTP request. It impacts phpBB versions 4.0.0-a2 or 3.3.16 and below.
Researchers at application security company Aikido found the bug on June 2nd and reported it through the developer’s HackerOne Vulnerability Disclosure Program.
phpBB responded to the report immediately and addressed the problem on June 6 in version 3.3.17 of the software.
According to Aikido, the flaw was introduced to phpBB’s codebase 10 years ago, impacting all versions of the 3.x and 4.x release branches, up to 3.3.16 and 4.0.0-a2. For the 4.x release, there’s no fix available yet.
phpBB is a PHP-based free and open-source web forum platform that enjoyed peak popularity in the 2000s and early 2010s. Today, it is still powering thousands of forums worldwide.
Aikido says that exploiting the bug requires no special configuration, as it can be triggered on the default settings.
“The vulnerability is exploitable in the default configuration and requires no special knowledge,” reads Aikido’s report.
“If you are on version 4.0.0-a2 or 3.3.16 and below, upgrade immediately to master (no safe 4.x release yet) and 3.3.17, respectively, to avoid compromise.”
Administrator access could allow attackers to view all private messages stored on the forum, create, modify, or delete content and user accounts, impersonate staff, or deface the sites.
Picking targets is also straightforward, as the member list on phpBB forums is public by default.
Aikido notes that remote code execution (RCE) is not possible due to a separate password check that protects the Admin Control Panel.
The researchers withheld all technical details for now to allow forum administrators enough time to apply the security updates and even contacted administrators of large phpBB-based forums to alert them directly.
One thing to note is that the update may cause forums using OAuth authentication to break, because the OAuth redirect handler has moved to a new location, but this should be a simple fix in most cases.
Aikido promised to publish the full details of the flaw in a future report, but did not provide a specific timeline.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
