Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

phpBB 2.0.13 released – dumb*ss coders strike again

This post was imported from an old blog archive, and predates the creation of

In the latest round of embarrassing updates, the phpBB Group has released a new version of phpBB, 2.0.13, to fix a large, and obvious security error allow anyone to gain admin rights, oh, just to make it better, it works on all version < 2.0.13. With a POC floating around, let the hacking begin.

Update: A working exploit was released, showing just how simple it is to wreak havoc.

This is yet another blow to phpBB, it’s had a number of recent issues like this, makes you wonder how long it’ll take for them to actually take security seriously.

Exploit #

An exploit is not required.

The following proof of concept demonstrating cookie values necessary to authenticate to the numerical id ‘2’ account, typically the administrator account, is available:



References #

PHPBB Authentication Bypass Vulnerability
phpBB 2.0.13 released – Critical Update

Adam Caudill