Critical Authentication Bypass Vulnerability Patched in phpBB
Photo: BleepingComputer
Quick answer
A critical authentication bypass vulnerability in phpBB, lurking for over a decade, has been discovered and patched. The flaw enabled attackers to log in as any user, including administrators, without a password.
phpBB’s development team has released an emergency security update addressing a critical vulnerability in the forum software’s authentication mechanism. The flaw, identified by cybersecurity researchers, allowed threat actors to bypass authentication checks and log in as any user—including forum administrators—without requiring a password.
The vulnerability has been present in the engine’s codebase for over a decade and affected all versions released since 2014. Experts warn that the bug could have been exploited to compromise forums running on phpBB, including large online communities. Platforms where administrators neglected software updates for extended periods were particularly at risk.
Developers strongly urge phpBB forum owners to install the latest version of the engine immediately. The update is available for download on the project’s official website. In addition to fixing the current vulnerability, the patch also addresses several other potential security threats uncovered during a code audit.
Common questions
- What is the phpBB vulnerability about?
- It is an authentication bypass bug that allowed attackers to log in as any account, including admin accounts, without a password. The flaw existed since 2014.
- Which phpBB versions are affected?
- The vulnerability impacted all forum engine versions released since 2014. Users are advised to update to the latest security patch immediately.
- How can I secure my phpBB forum?
- Install the latest security update released by the developers to eliminate the risk of unauthorized account access.
Dzen feed: /feed/dzen.xml · RSS: /feed.xml