RipsTech reported a Phar Deserialization to RCE in the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board.
phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed.
But plugins cannot be installed directly in the admin panel and there is no other feature that can be abused by administrators to execute arbitrary PHP code. However, the vulnerability described here allows the attacker to break out of the admin panel, execute arbitrary PHP code on the underlying server and then to perform a full site takeover.
The vulnerability is available in phpBB 3.2.3 and have been fixed in the version 3.2.4. So if you are using phpBB3, make sure to upgrade to the latest version asap.
More information about the vulnerability at RipsTech blog.
