"The vulnerability is exploitable in the default configuration and requires no special knowledge," researchers at Aikido wrote after finding a decade-old authentication bypass in phpBB that lets an attacker sign in as any user, including administrators.
Aikido's discovery and disclosure
Researchers at application security company Aikido found the flaw on June 2 and reported it through phpBB's HackerOne Vulnerability Disclosure Program. According to Aikido, the bug was introduced into phpBB’s codebase roughly 10 years ago and persisted across both the 3.x and 4.x release branches. The researchers withheld technical details to give forum administrators time to apply fixes and went so far as to contact administrators of large phpBB-based forums directly.
Affected phpBB releases: 3.3.16 and 4.0.0-a2 (and earlier)
The flaw impacts phpBB versions 4.0.0-a2 and 3.3.16 and below. Aikido says the vulnerability affects all versions of the 3.x and 4.x branches up to those releases. For the 3.x series, phpBB addressed the problem on June 6 by issuing version 3.3.17. For the 4.x branch, however, Aikido reports that there is no safe 4.x release available yet.
How the bug works and the practical risk
Aikido characterizes the vulnerability as trivial to exploit: it requires a single HTTP request and no special configuration beyond the default settings. Because phpBB forums expose their member lists by default, attackers can readily select targets. Successful exploitation allows an attacker to log in as any user — including administrators — which in turn permits actions such as viewing private messages stored on a forum, creating, modifying or deleting content and user accounts, impersonating staff, or defacing sites.
Importantly, Aikido notes that remote code execution (RCE) is not possible via this flaw because a separate password check protects the Admin Control Panel. Still, the ability to assume administrative identities on a forum creates a broad range of disruptive and privacy-compromising actions.
Patch status, upgrade guidance and compatibility note
PhpBB responded immediately to Aikido's report and released version 3.3.17 on June 6 to address the issue for the 3.x branch. Aikido's guidance for administrators was explicit: “If you are on version 4.0.0-a2 or 3.3.16 and below, upgrade immediately to master (no safe 4.x release yet) and 3.3.17, respectively, to avoid compromise.”
The researchers warned that the update may break forums using OAuth authentication because the OAuth redirect handler has moved to a new location; they said this should be a simple fix in most cases. No timeline was given for when Aikido will publish full technical details of the flaw.
What this means for technologists, forum operators, and users
- Technologists and security teams: Review deployed phpBB instances and prioritize upgrades to 3.3.17 or to master where advised; those running 4.x must recognize there is no safe 4.x release yet and should plan mitigations or temporary controls until a fix is available.
- Forum operators and administrators: Expect to check OAuth configurations post-upgrade because the redirect handler has moved; operators of large phpBB sites may already have been contacted by Aikido and should verify account integrity, private-message stores, and recent administrative activity for signs of misuse.
- Users and members of phpBB forums: Be aware that member lists are public by default on many phpBB sites, which can make accounts — including administrative accounts — easy targets. Where possible, watch for communications from forum operators about forced password resets or other remediation steps.
The discovery underscores a simple, uncomfortable fact: a small, easily triggered logic error can sit unnoticed for years and suddenly reopen long-settled doors. For operators of phpBB forums the immediate choice is concrete and limited — apply 3.3.17 now if you can, shift 4.x instances away from exposed configurations while awaiting a patched 4.x release, and prepare for the promised technical disclosure from Aikido so the community can examine the root cause in full.
Original story: phpBB forum fixes auth bypass bug lurking for a decade — BleepingComputer
