Critical phpBB Flaw Allows Account Hijacking with Single Request
A significant vulnerability has been identified in the phpBB forum software, allowing attackers to hijack any account, including those of administrators, with a single unauthenticated request. This flaw, tracked as PTT-2026-004, affects all phpBB versions up to 3.3.16 and the 4.0.0 alpha. The vulnerability was discovered by Dan Stefan Alexandru of Pentest-Tools.com and reported to phpBB on June 4. The attack requires only the target's username, which can be easily obtained from the public member list on a default forum. Successful exploitation grants the attacker a valid session as the chosen account, providing access to private messages and content visible to the victim, and full read, write, and delete access if the victim is an administrator. However, access to the Administration Control Panel remains restricted, requiring the admin's password. A second flaw, PTT-2026-005, affects boards using OAuth login through Google, Facebook, or Bitly, allowing attackers to bind their OAuth credential to a victim's... 
