A vulnerability has been identified in the free engine for creating phpBB that allows you to connect to the session of any forum user by sending a single HTTP request. The vulnerability occurs in the default phpBB configuration. The problem has been fixed in phpBB version 3.3.17.
When attacking regular users, you can gain access to private correspondence and the ability to send messages on behalf of the user. When attacking moderators and administrators, you can delete other people’s messages and read private correspondence, but you cannot go into the administrator interface and gain access to the host.
Details about the vulnerability are not given, but with the help of AI, based on the fix, an exploitation method has already been recreated. The method involves accessing the “login_link” handler with setting the authentication method “auth_provider=apache” and substituting the login via Basic Auth, after which PHP will set environment variable “PHP_AUTH_USER=login”, and phpBB will extract the user’s login from it without checking the password.
For example, to get the session ID of the admin user and save it to the cookie.txt file, you can run the following code:
code example here