CVE-2019-13376

## Vulnerability phpBB version 3.2.7 contains a CSRF token hijacking vulnerability in its Remote Avatar feature. When an administrator accesses the Administration Control Panel (ACP), the session ID is reflected as a GET parameter and remains attached to the URL when navigating back to the board index. This leaks the admin's session ID via HTTP referrers when remote avatars are loaded [2].

Exploitation

An attacker can craft a remote avatar URL pointing to their own server. If an admin loads a page containing this avatar, the admin's session ID is sent to the attacker via the referrer header. With the stolen session ID, the attacker can perform CSRF attacks to create a new BBCode entry containing malicious JavaScript, leading to stored XSS [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user viewing the malicious BBCode. This can lead to full compromise of the forum, including data theft and further attacks.

Mitigation

The vulnerability is fixed in phpBB version 3.2.8. Users should upgrade immediately to prevent exploitation [3].