CVE-2008-6507
Description
In phpBB before 3.0.4, quoting a post from a password-protected forum in a private message did not require the forum password, allowing unauthorized disclosure of protected content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In phpBB before 3.0.4, quoting a post from a password-protected forum in a private message did not require the forum password, allowing unauthorized disclosure of protected content.
Vulnerability
In phpBB versions prior to 3.0.4, when a user composes a private message and quotes a post that resides in a password-protected forum, the application does not verify that the user has access to that forum by requesting the forum password. This allows the content of the protected post to be included in the private message without proper authorization [2]. The issue was reported by nickvergessen and fixed in version 3.0.4 [3][4].
Exploitation
An attacker with the ability to send private messages can quote a post from a password-protected forum. The attacker does not need to know the forum password; the system fails to prompt for it. The attacker can then send the private message to themselves or others, thereby obtaining the content of the protected post. No special privileges are required beyond the ability to compose private messages.
Impact
Successful exploitation leads to unauthorized disclosure of sensitive information contained in posts within password-protected forums. The attacker gains access to content that should be restricted to users who know the forum password. This is a confidentiality breach.
Mitigation
The vulnerability is fixed in phpBB 3.0.4, released on 2009-03-23. Users should upgrade to version 3.0.4 or later. No workaround is documented for earlier versions. The fix adds a check for forum password when quoting a post in a private message [3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpbb/phpbbPackagist | < 3.0.4 | 3.0.4 |
Affected products
5Patches
3a0c9705bb7d3every second commit an pre/post-commit error... :/
1 file changed · +19 −0
phpBB/includes/ucp/ucp_pm_compose.php+19 −0 modified@@ -251,6 +251,25 @@ function compose_pm($id, $mode, $action) { trigger_error('NOT_AUTHORISED'); } + + // Passworded forum? + if ($post['forum_id']) + { + $sql = 'SELECT forum_password + FROM ' . FORUMS_TABLE . ' + WHERE forum_id = ' . (int) $post['forum_id']; + $result = $db->sql_query($sql); + $forum_password = (string) $db->sql_fetchfield('forum_password'); + $db->sql_freeresult($result); + + if ($forum_password) + { + login_forum_box(array( + 'forum_id' => $post['forum_id'], + 'forum_password' => $forum_password, + )); + } + } } $msg_id = (int) $post['msg_id'];
fce23bc91b1eevery second commit an pre/post-commit error... :/ Ask for forum password if post within passworded forum quoted in private message (Reported by nickvergessen)
2 files changed · +22 −1
docs/CHANGELOG.html+3 −1 modified@@ -99,6 +99,7 @@ <h1>Changelog</h1> <li>[Fix] Adjusted phpbb_chmod() to always set permissions for group bit.</li> <li>[Fix] Do not increment users post count after post approval if post had been posted in a forum with no post count increasing set (Bug #37865)</li> <li>[Fix] Extend vertical line for last post column if no posts in forum (Bug #37125)</li> + <li>[Fix] correctly update last topic/forum information if changing guest usernames through editing posts (Bug #38095)</li> <li>[Change] Alllow applications to set custom module inclusion path (idea by HoL)</li> <li>[Change] Handle checking for duplicate usernames in chunks (Bug #17285 - Patch by A_Jelly_Doughnut)</li> <li>[Change] Better handling and finer control for custom profile fields visibility options. (Patch by Highway of Life)</li> @@ -107,7 +108,8 @@ <h1>Changelog</h1> <li>[Change] Performance increase for get_username_string() (Bug #37545 - Patch by BartVB)</li> <li>[Change] Slight performance increase for common parameter calls to append_sid() (Bug #37555 - Patch by BartVB)</li> <li>[Feature] Added 'AGO' setting to relative date strings. For example: posted 14 minutes ago. (Patch by BartVB)</li> - <li>[Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges.(Thanks Jorick)</li> + <li>[Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges. (Reported by Jorick)</li> + <li>[Sec] Ask for forum password if post within passworded forum quoted in private message. (Reported by nickvergessen)</li> </ul> <a name="v302"></a><h3>1.ii. Changes since 3.0.2</h3>
includes/ucp/ucp_pm_compose.php+19 −0 modified@@ -259,6 +259,25 @@ function compose_pm($id, $mode, $action) { trigger_error('NOT_AUTHORISED'); } + + // Passworded forum? + if ($post['forum_id']) + { + $sql = 'SELECT forum_password + FROM ' . FORUMS_TABLE . ' + WHERE forum_id = ' . (int) $post['forum_id']; + $result = $db->sql_query($sql); + $forum_password = (string) $db->sql_fetchfield('forum_password'); + $db->sql_freeresult($result); + + if ($forum_password) + { + login_forum_box(array( + 'forum_id' => $post['forum_id'], + 'forum_password' => $forum_password, + )); + } + } } $msg_id = (int) $post['msg_id'];
866e4196f4f5every second commit an pre/post-commit error... :/
2 files changed · +22 −1
phpBB/docs/CHANGELOG.html+3 −1 modified@@ -99,6 +99,7 @@ <h1>Changelog</h1> <li>[Fix] Adjusted phpbb_chmod() to always set permissions for group bit.</li> <li>[Fix] Do not increment users post count after post approval if post had been posted in a forum with no post count increasing set (Bug #37865)</li> <li>[Fix] Extend vertical line for last post column if no posts in forum (Bug #37125)</li> + <li>[Fix] correctly update last topic/forum information if changing guest usernames through editing posts (Bug #38095)</li> <li>[Change] Alllow applications to set custom module inclusion path (idea by HoL)</li> <li>[Change] Handle checking for duplicate usernames in chunks (Bug #17285 - Patch by A_Jelly_Doughnut)</li> <li>[Change] Better handling and finer control for custom profile fields visibility options. (Patch by Highway of Life)</li> @@ -107,7 +108,8 @@ <h1>Changelog</h1> <li>[Change] Performance increase for get_username_string() (Bug #37545 - Patch by BartVB)</li> <li>[Change] Slight performance increase for common parameter calls to append_sid() (Bug #37555 - Patch by BartVB)</li> <li>[Feature] Added 'AGO' setting to relative date strings. For example: posted 14 minutes ago. (Patch by BartVB)</li> - <li>[Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges.(Thanks Jorick)</li> + <li>[Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges. (Reported by Jorick)</li> + <li>[Sec] Ask for forum password if post within passworded forum quoted in private message. (Reported by nickvergessen)</li> </ul> <a name="v302"></a><h3>1.ii. Changes since 3.0.2</h3>
phpBB/includes/ucp/ucp_pm_compose.php+19 −0 modified@@ -259,6 +259,25 @@ function compose_pm($id, $mode, $action) { trigger_error('NOT_AUTHORISED'); } + + // Passworded forum? + if ($post['forum_id']) + { + $sql = 'SELECT forum_password + FROM ' . FORUMS_TABLE . ' + WHERE forum_id = ' . (int) $post['forum_id']; + $result = $db->sql_query($sql); + $forum_password = (string) $db->sql_fetchfield('forum_password'); + $db->sql_freeresult($result); + + if ($forum_password) + { + login_forum_box(array( + 'forum_id' => $post['forum_id'], + 'forum_password' => $forum_password, + )); + } + } } $msg_id = (int) $post['msg_id'];
Vulnerability mechanics
Root cause
"Missing password prompt when quoting a post from a password-protected forum in a private message."
Attack vector
An attacker composes a private message and uses the "quote" feature to include a post that resides in a password-protected forum. Before the patch, phpBB did not check whether the quoted post's forum required a password [patch_id=20661]. The attacker can therefore read the quoted content without ever providing the forum password, bypassing the access control that the forum administrator intended.
Affected code
The vulnerability exists in `phpBB/includes/ucp/ucp_pm_compose.php` within the `compose_pm()` function [patch_id=20661]. The code path that handles quoting a post into a private message lacked any check for whether the source forum was password-protected. The patch adds a database query against `FORUMS_TABLE` to retrieve the forum password and conditionally invokes `login_forum_box()`.
What the fix does
The patch adds a check after the existing authorisation test in `ucp_pm_compose.php` [patch_id=20661]. When a quoted post has a `forum_id`, the code queries `FORUMS_TABLE` for that forum's `forum_password`. If a password is set, it calls `login_forum_box()` to prompt the user for the password before the private message composition proceeds. This ensures that the same password gate that protects the forum also applies when its content is quoted in a private message.
Preconditions
- authAttacker must be an authenticated user with permission to compose private messages.
- configA password-protected forum must exist and contain at least one post.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- secunia.com/advisories/33166nvdVendor Advisory
- github.com/advisories/GHSA-jw8f-q84g-r3vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-6507ghsaADVISORY
- www.openwall.com/lists/oss-security/2009/02/06/2nvdWEB
- www.phpbb.com/community/viewtopic.phpnvdWEB
- www.phpbb.com/support/documents.phpnvdWEB
- github.com/phpbb/phpbb-app/commit/fce23bc91b1e325eb65a2515cf8ae13e180023e9ghsaWEB
- github.com/phpbb/phpbb/commit/866e4196f4f50a41a1f176a17cc56609a13d4a10ghsaWEB
- github.com/phpbb/phpbb/commit/a0c9705bb7d3e203324d777782a6915bf5eee1d1ghsaWEB
- www.osvdb.org/50806nvd
News mentions
0No linked articles in our index yet.