delphij's Chaos


25 Mar 2004

phpBB (up to and including 2.0.7a) Remote DDoS vulnerablity

I’ve decided to disclose here (to a small group of people) due to the unresponsiveness from the phpBB group, which is the authoritive vendor of phpBB. A official public full disclose of this vulnerablity will be posted to BugTraq someday later.

I have confirmed that there is a potential remote (D)DoS vulnerablity in phpBB 2.0.x series. This theory is easy to proof:

On every page, a inclusion of sessions.php would create a new session item.
Yes, the sessions table will be GC’ed after a while, however, it will be easy to exploit this with IP spoofing technique, to fake many anonymous sessions into the table, and hence fill up the table, finally result in a successful DoS attack.

I have submitted a patch as long as a short statement about the vulnerablity to, but well, their server simply asked me to confirm it, after I confirmed it, the server returned me a receipt, after that, everything goes silent.

I can’t keep silent and I will hereby make a full disclosure. To exploit it,
(1) make a program that can fake your IP in connection.
(2) on each connection, connect to a page at the victim’s forum.
(3) repeat with different faked IP, the table will be soon filled up and hence a successful DoS attack.

For a easier implementation, it’s much more easy to launch a DDoS attack against phpBB.

I must say, phpBB is not trustworthy, and speaking as FreeBSD China Community’s official position:

“We will give up phpBB soon and use another system. If time permits, it will be our own written one.”