phpBB Server Side Request Forgery Vulnerability

Project Description

The “Remote Avatar” function in phpBB allows an attacker to perform server-side request forgery (SSRF) attacks if the “Remote Avatar” functions is enabled.


Vendor description

“phpBB is a free flat-forum bulletin board software solution that can be usedto stay in touch with a group of people or can power your entire website. Withan extensive database of user-created extensions and styles databasecontaining hundreds of style and image packages to customise your board, youcan create a very unique forum in minutes.”



Business recommendation

The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software.


Vulnerability overview/description

The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application’s “Remote Avatar” function.


Proof of concept

This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited.

  • URL: http://$DOMAIN/ucp.php?i=ucp_profile&mode=avatar
  • PARAMETER: avatar_remote_url
  • PAYLOAD : http://$DOMAIN:$PORT/x.jpg


Vulnerable / tested versions

phpBB version 3.2.0 has been tested. This version was the latestat the time the security vulnerability was discovered.


Vendor contact timeline

2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.



Upgrade to phpBB 3.2.1

For further information see:





Advisory URL


EOF Jasveer Singh / @2017


Project Details

  • TitleServer Side Request Forgery Vulnerability
  • ProductphpBB
  • Vulnerable version3.2.0
  • Fixed version--
  • CVE number--
  • ImpactMedium
  • Homepage
  • Found2017-05-21
  • ByJasveer Singh (Office Kuala Lumpur) | SEC Consult Vulnerability Lab