CVE-2015-1432 Information

Description

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.

Reference

http://seclists.org/oss-sec/2015/q1/373 http://www.securityfocus.com/bid/72399 https://exchange.xforce.ibmcloud.com/vulnerabilities/100671 https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449 https://github.com/phpbb/phpbb/pull/3311 https://security.gentoo.org/glsa/201701-25 https://tracker.phpbb.com/browse/PHPBB3-13526 https://wiki.phpbb.com/Release_Highlights/3.0.13