phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. But plugins cannot be installed directly in the admin panel and there is no other feature that can be abused by administrators to execute arbitrary PHP code. However, the vulnerability described here allows the attacker to break out of the admin panel, execute arbitrary PHP code on the underlying server and then to perform a full site takeover.
The issue in the phpBB3 code base (300 KLOC) is a Phar deserialization vulnerability. It was fixed in version
3.2.4. Our leading SAST solution RIPS automatically detected this vulnerability in 3 minutes scan time.