phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability

25 Jul 2011

Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability

Release Date: 2011-04-30

Product Affected:

Responsible Disclosure:

After repeated attempts to get the vendor to fix this flaw, he has told me to "Please stop taking up my time with something this trivial." I have provided a risk assessment, sources on CSRF including OWASP and my implementation on how to fix it.

If after a reasonable attempt to make the vendor realise it is a vulnerability, the vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.

First vendor contact was made on 2011-04-24 and continued till the 29th where he cut contact.


All actions taken on chat.php are not protected against CSRF, this includes add and delete chat messages.


This solution carries no warranty or guarantees, that said it works with the version I have.

In config.php

in shout.php
116: 'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in chat.php
$chatMAC = request_var('mac', ");

if($mode AND $chatMAC != hash_hmac('ripemd160', $user->data['user_id'], $secretKey)) //action taken
die('Hacking attempt! (CSRF)');

257:  'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in templates:
after param = 'mode=' + mode;
Add param += '&mac=' + '{CHAT_MAC}';