phpBB Cross-Site Request Forgery Vulnerability Allowing Arbitrary Code Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpBB version 3.3.15. This vulnerability allows a local attacker to execute arbitrary code by exploiting the Admin Control Panel's icon management feature. The issue arises because the module processes state-changing POST requests without adequate CSRF protection, enabling attackers to manipulate sessions and perform unauthorized actions.

Impact

Exploitation of this vulnerability could lead to account takeover, unauthorized administrative actions, and privilege abuse by manipulating the sessions of authenticated administrators.

Reproduction

To reproduce this vulnerability, an attacker must trick an authenticated administrator into visiting a malicious webpage that sends a forged POST request to the Admin Control Panel icon management module. This can be done by creating a form that includes the necessary hidden input fields for the icon management functionality and submitting it automatically via a script.

Remediation

To address this vulnerability, it is recommended to enforce CSRF tokens tied to user sessions, validate the integrity and expiration of these tokens, implement SameSite cookie attributes, and verify Origin or Referer headers. Additionally, requiring re-authentication for sensitive actions within the Admin Control Panel can help mitigate the risk.