SEC Consult Vulnerability Lab Security Advisory < 20170804-0 > ======================================================================= title: Server Side Request Forgery Vulnerability product: phpBB vulnerable version: 3.2.0 fixed version: 3.2.1 CVE number: impact: Medium homepage: https://www.phpbb.com/ found: 2017-05-21 by: Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "phpBB is a free flat-forum bulletin board software solution that can be used to stay in touch with a group of people or can power your entire website. With an extensive database of user-created extensions and styles database containing hundreds of style and image packages to customise your board, you can create a very unique forum in minutes." Source: https://www.phpbb.com/ Business recommendation: ------------------------ The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software. Vulnerability overview/description: ----------------------------------- The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application's "Remote Avatar" function. Proof of concept: ----------------- This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited. URL : http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar METHOD : POST PARAMETER : avatar_remote_url PAYLOAD : http://$DOMAIN:$PORT/x.jpg Vulnerable / tested versions: ----------------------------- phpBB version 3.2.0 has been tested. This version was the latest at the time the security vulnerability was discovered. Vendor contact timeline: ------------------------ 2017-05-23: Contacting vendor through security bug tracker. 2017-05-29: Vendor confirms the vulnerabilities and working on the fixes. 2017-07-12: Vendor requesting extension for deadline of 5 days from the latest possible release date. 2017-07-17: Patch released by the vendor. 2017-08-04: Public release of the advisory. Solution: --------- Upgrade to phpBB 3.2.1 For further information see: https://www.phpbb.com/community/viewtopic.php?f=14&p=14782136 Workaround: ----------- Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Jasveer Singh / @2017
Attachment:
signature.asc
Description: OpenPGP digital signature