pruva-verify REPRO-2026-00223 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00223/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Authentication bypass in phpBB's UCP login-link flow. ucp.php?mode=login_link loads includes/ucp/ucp_login_link.php which accepts an attacker-controlled auth_provider query/POST parameter and calls $provider_collection->get_provider($request->variable('auth_provider','')). By setting auth_provider=apache, the apache auth provider's login() method is invoked. The apache provider (phpbb/auth/provider/apache.php) reads PHP_AUTH_USER from the HTTP Basic Authorization header, checks it matches the submitted username, looks up the user in the database, and returns LOGIN_SUCCESS without ever validating the password. session_create() is then called for the target user. Default auth_method=db installations are vulnerable out of the box; OAuth is not required. An unauthenticated attacker can obtain a valid session as any known user including administrators.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.