Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3608558 by misop00p
A registered user can register an arbitrary URL as their Web Push notification endpoint. phpBB stores this URL without validation and later uses the Minishlink WebPush library to send HTTP POST requests to it. This allows the attacker to force the phpBB server to make outbound HTTP requests to internal network services, cloud metadata endpoints, or other attacker-controlled destinations.
This is the same class of vulnerability as HackerOne #1018568 (SSRF in Jabber settings), but requires only a registered user rather than admin access. The Jabber feature was removed in phpBB 4.0 via migration; Web Push was added as its replacement.
Medium — CVSS 3.1: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
phpBB 4.0.0-alpha1 (commit 4a57f1ff3c)
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In