SEC Consult SA-20170804-0 :: phpBB Server Side Request Forgery (SSRF) vulnerability

--8LxL8v03C4fxmEppDludGUrLHu6udMJTh
Content-Type: multipart/mixed; boundary="WpBuxKd9RHiKhE25RgA5RS43ajKp8nBUX";
 protected-headers="v1"
From: SEC Consult Vulnerability Lab <research@sec-consult.com>
To: bugtraq@securityfocus.com, fulldisclosure@seclists.org
Message-ID: <202b010c-eb29-64ab-90ba-30524cc80848@sec-consult.com>
Subject: SEC Consult SA-20170804-0 :: phpBB Server Side Request Forgery (SSRF)
 vulnerability

--WpBuxKd9RHiKhE25RgA5RS43ajKp8nBUX
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170804-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Server Side Request Forgery Vulnerability
            product: phpBB
 vulnerable version: 3.2.0
      fixed version: 3.2.1
         CVE number:
             impact: Medium
           homepage: https://www.phpbb.com/
              found: 2017-05-21
                 by: Jasveer Singh (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"phpBB is a free flat-forum bulletin board software solution that can be =
used
to stay in touch with a group of people or can power your entire website.=
 With
an extensive database of user-created extensions and styles database
containing hundreds of style and image packages to customise your board, =
you
can create a very unique forum in minutes."

Source: https://www.phpbb.com/


Business recommendation:
------------------------
The patch should be installed immediately. Furthermore, SEC Consult recom=
mends
to perform a thorough security review of this software.


Vulnerability overview/description:
-----------------------------------
The phpBB forum software is vulnerable to the server side request forgery=

(SSRF) attack. An attacker is able to perform port scanning, requesting
internal content and potentially attacking such internal services via the=

web applications "Remote Avatar" function.


Proof of concept:
-----------------
This vulnerability can be exploited by an attacker with a registered acco=
unt
as low as a normal account. If the web application enables remote avatar,=
 this
feature could be abused by an attacker to perform port scanning. Below is=
 the
example on how the SSRF issue can be exploited.

URL     	: http://$DOMAIN/ucp.php?i=3Ducp_profile&mode=3Davatar
METHOD  	: POST
PARAMETER	: avatar_remote_url
PAYLOAD 	: http://$DOMAIN:$PORT/x.jpg


Vulnerable / tested versions:
-----------------------------
phpBB version 3.2.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.


Vendor contact timeline:
------------------------
2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.=

2017-07-12: Vendor requesting extension for deadline of 5 days from the
            latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.


Solution:
---------
Upgrade to phpBB 3.2.1

For further information see:
https://www.phpbb.com/community/viewtopic.php?f=3D14&p=3D14782136


Workaround:
-----------


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Jasveer Singh / @2017


--WpBuxKd9RHiKhE25RgA5RS43ajKp8nBUX--

--8LxL8v03C4fxmEppDludGUrLHu6udMJTh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhIGWAAoJEC0t17XG7og/avMP/12cd6oQz8+4abcCu4haTZK1
uEm+A+AoNNpcL57lBExL2fzD22eVCoyTcBLDZEcBy1ZedGBwc6UrNawzqQBNVb2s
vP5twFAaGr2jyag2HfTUvCZ8lCLf//MywWLPiNYR6g8RKiLIH1gpBCj3GyaOM72C
veES7c8JkQxeTCTA9gMCcgD7al5+SpMoG47m1yRpHNnQxZtL2EuF3RkD5oRF8D5l
RkuvUxbnbBXOrC7Oomn/Iy+M6tDS82FgbRtZywYEl9cJ6aaLfyZyTMMGuXBxiBTz
9w+SxtJ8lBmiz1y/SwHelHMYun+NYVrSPd/QdM1p5F7Eu0qxzU+9ko+FnyFk2RY5
BnKpUcRwF5A+XHM097xvmeuEDb2OAi6xqqzzhd4VcClar/8wxDcMzZpkQMkgAxUG
5XQR96ekTzQvvzfbo/YGHlpsymD+AJsc4I/Vd2PcQzcZhXNdGRglWVVHNNQTaC0F
bg7vIFmUz2iKmUI+t2Q2N2UrlnPNL1CYeoEatkga1mpt8v1zQiEckXDc2cOxrAt1
t7LBBpxaHvqN1PbrIUj0m00ESwyDBMPBsfUvju0urbKGeQMcNVnnqKC08itRkeuJ
KQ2PtpGh1DbGjZQZN1Kdi+p1UR81Q0HNL5XNPjFC5LYrR2x8GoyTZM67Jf4Y/iGQ
ZAZDthlSCGhZnQUVXwTQ
=Inw4
-----END PGP SIGNATURE-----

--8LxL8v03C4fxmEppDludGUrLHu6udMJTh--