### phpBB Forum Software Fixes Decade-Old Authentication Bypass Vulnerability ###
A critical authentication bypass vulnerability has been discovered in the phpBB forum software that has been lurking for over a decade. The flaw, which allows attackers to log in as any user, including administrators, was reported by researchers at application security company Aikido through the developer’s HackerOne Vulnerability Disclosure Program.
The bug was introduced to phpBB’s codebase 10 years ago and impacts all versions of the 3.x and 4.x release branches, up to 3.3.16 and 4.0.0-a2. The vulnerability is trivial to exploit with a single HTTP request and does not require any special configuration or knowledge.
According to Aikido’s report, exploiting the bug requires no special configuration, as it can be triggered on the default settings. This means that attackers can easily target phpBB forums without needing to know much about the software or its configuration.
The vulnerability allows attackers to view all private messages stored on the forum, create, modify, or delete content and user accounts, impersonate staff, or deface the sites. Picking targets is also straightforward, as the member list on phpBB forums is public by default.
Aikido notes that remote code execution (RCE) is not possible due to a separate password check that protects the Admin Control Panel. However, this does not mitigate the severity of the vulnerability, as attackers can still gain administrator access and perform malicious actions.
phpBB responded quickly to the report and addressed the problem in version 3.3.17 of the software on June 6th. However, for the 4.x release, there is no fix available yet. phpBB administrators are advised to upgrade immediately to master (no safe 4.x release yet) and 3.3.17, respectively, to avoid compromise.
One thing to note is that the update may cause forums using OAuth authentication to break, because the OAuth redirect handler has moved to a new location. However, this should be a simple fix in most cases.
Aikido promised to publish the full details of the flaw in a future report, but did not provide a specific timeline.
### Update Your phpBB Forum Software Immediately ###
If you are running a phpBB forum and have not already updated to version 3.3.17 or later, it is essential that you do so immediately. This vulnerability has been lurking for over a decade and can be exploited by attackers with ease.
### Conclusion ###
The discovery of this decade-old authentication bypass vulnerability in phpBB forum software highlights the importance of regular security updates and patches. It also underscores the need for developers to prioritize security when designing their software.
In conclusion, phpBB administrators must take immediate action to update their software and prevent potential attacks. The consequences of not doing so could be severe, with attackers potentially gaining administrator access and compromising sensitive data.
Source: Original article