lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 4 Aug 2017 17:15:35 +0300
From: SEC Consult Vulnerability Lab <>
To: <>, <>
Subject: SEC Consult SA-20170804-0 :: phpBB Server Side Request Forgery (SSRF)

SEC Consult Vulnerability Lab Security Advisory < 20170804-0 >
              title: Server Side Request Forgery Vulnerability
            product: phpBB
 vulnerable version: 3.2.0
      fixed version: 3.2.1
         CVE number:
             impact: Medium
              found: 2017-05-21
                 by: Jasveer Singh (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"phpBB is a free flat-forum bulletin board software solution that can be used
to stay in touch with a group of people or can power your entire website. With
an extensive database of user-created extensions and styles database
containing hundreds of style and image packages to customise your board, you
can create a very unique forum in minutes."


Business recommendation:
The patch should be installed immediately. Furthermore, SEC Consult recommends
to perform a thorough security review of this software.

Vulnerability overview/description:
The phpBB forum software is vulnerable to the server side request forgery
(SSRF) attack. An attacker is able to perform port scanning, requesting
internal content and potentially attacking such internal services via the
web application's "Remote Avatar" function.

Proof of concept:
This vulnerability can be exploited by an attacker with a registered account
as low as a normal account. If the web application enables remote avatar, this
feature could be abused by an attacker to perform port scanning. Below is the
example on how the SSRF issue can be exploited.

URL     	: http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar
PARAMETER	: avatar_remote_url
PAYLOAD 	: http://$DOMAIN:$PORT/x.jpg

Vulnerable / tested versions:
phpBB version 3.2.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.

Vendor contact timeline:
2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the
            latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.

Upgrade to phpBB 3.2.1

For further information see:


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices

Mail: research at sec-consult dot com

EOF Jasveer Singh / @2017

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists