{
  "variant_id": "cve-2026-48611-variant-ucp-register-and-controller-paths",
  "created_at": "2026-07-04T05:28:00Z",
  "variant_summary": "Variant/bypass analysis for CVE-2026-48611 (phpBB login-link auth bypass via attacker-steerable auth_provider=apache). A systematic matrix of 4 materially-distinct entry/data paths (register-flow residual attacker-steerable get_provider(), auth_provider forwarded through the login_link redirect, direct controller link_account?auth_provider=apache, and the oauth login controller) plus the original-exploit control was executed against the fixed phpBB 3.3.17. NO bypass was found: the fixed build blocks every candidate (session *_u=1, anonymous, no admin session) while the 3.3.16 control still hijacks admin (_u=2, ACP link present). One residual instance of the attacker-steerable get_provider($request->variable('auth_provider','')) anti-pattern survives in includes/ucp/ucp_register.php but does NOT reach the password-less apache::login() sink (register only calls login_link_has_necessary_data() + link_account(), never ->login()), so it is a defense-in-depth gap, not a bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/phpbb/phpbb.git",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "555f0aaa6b892efb2e6b6edd2362302a3ef8b339",
    "version": "3.3.16",
    "ref": "release-3.3.16",
    "display": "phpBB release-3.3.16 (commit 555f0aaa6b892efb2e6b6edd2362302a3ef8b339)"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "3508484fdc18cd97eeab229da830055c79fcc59e",
    "version": "3.3.17",
    "ref": "release-3.3.17",
    "display": "phpBB release-3.3.17 (commit 3508484fdc18cd97eeab229da830055c79fcc59e) — fixed/target-for-bypass"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "Unauthenticated HTTP POST/GET to phpBB UCP endpoints (ucp.php?mode=login_link, ucp.php?mode=register, /app.php/user/oauth/link_account, /app.php/user/oauth/login/{svc}) with attacker-controlled auth_provider=apache and an HTTP Basic Authorization header carrying a target username.",
  "attacker_controlled_input": "auth_provider=apache request parameter (GET/POST) plus HTTP Basic Authorization header (PHP_AUTH_USER set to an existing username, e.g. admin); password deliberately wrong (x). For the register-flow candidate: also login_link_* POST data and registration fields.",
  "trigger_path": "Variant matrix tested on fixed 3.3.17: V1 POST ucp.php?mode=register&auth_provider=apache (+login_link_*) -> ucp_register.php get_provider(auth_provider) -> login_link_has_necessary_data/link_account (NO ->login()); V2 POST ucp.php?mode=login_link&auth_provider=apache -> 301 redirect -> controller get_provider() no-arg; V3 POST /app.php/user/oauth/link_account?auth_provider=apache -> controller get_provider() no-arg -> db login() rejects wrong password; V4 GET /app.php/user/oauth/login/apache -> controller get_provider() no-arg -> instanceof oauth guard throws 401. Control V5: POST ucp.php?mode=login_link&auth_provider=apache -> on 3.3.16 apache::login() returns LOGIN_SUCCESS -> session_create(admin) [hijack]; on 3.3.17 blocked.",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "no_bypass_found",
  "blocking_mitigation": "phpBB 3.3.17 fix (ticket/17659): deleted includes/ucp/ucp_login_link.php; ucp.php?mode=login_link redirects to new phpbb/ucp/controller/oauth.php; controller resolves provider via get_provider() with NO argument (board-configured auth_method, default db) so the password-less apache provider is unreachable; the oauth login() controller is additionally guarded by an instanceof phpbb\\auth\\provider\\oauth\\oauth check. The only residual attacker-steerable get_provider(auth_provider) in ucp_register.php is not followed by ->login()+session_create() for an existing user, so it cannot hijack accounts.",
  "file_path": "phpBB/includes/ucp/ucp_register.php",
  "line_start": 119,
  "line_end": 122,
  "secondary_anchors": [
    {
      "file_path": "phpBB/phpbb/ucp/controller/oauth.php",
      "line_start": 281,
      "line_end": 318
    },
    {
      "file_path": "phpBB/ucp.php",
      "line_start": 95,
      "line_end": 103
    },
    {
      "file_path": "phpBB/phpbb/auth/provider/apache.php",
      "line_start": 86,
      "line_end": 174
    }
  ],
  "review_scope_paths": [
    "phpBB/includes/ucp/ucp_register.php",
    "phpBB/phpbb/ucp/controller/oauth.php",
    "phpBB/ucp.php",
    "phpBB/phpbb/auth/provider/apache.php",
    "phpBB/phpbb/auth/provider_collection.php",
    "phpBB/phpbb/auth/auth.php",
    "phpBB/includes/ucp/ucp_login_link.php",
    "phpBB/config/default/routing/ucp.yml",
    "phpBB/config/default/container/services_ucp.yml"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "source_identity": "bundle/vuln_variant/source_identity.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
