phpBB vulnerability clarification

Question

I was going through phpBB security and came across this:-

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7143

I'm trying to understand the workflow of the vulnerability. In the overview, it says that the session ID is sent in a request to modcp.php when a thread is closed by the admin or moderator.Further, it says that a post in the thread which is closed by the admin may contain a remotely hosted image.

To my understanding, when someone visits a closed thread, he/she will try to load the remotely hosted image and in that process, may send his/her's session ID via the referrer field to the remote server. What i don't understand is how modcp.php fits in this picture?

Answer 1

When a moderator or admin closes a thread, it sends their session ID in the query string to modcp.php.

e.g. http://example.com/phpBB/modcp.php?params=blablabla&sessionID=123

Once that's happened and the thread is closed, they are then redirected back to the closed thread.

The problem with that is if an attacker posts an image on the thread, they can then can check the referer header which, when a mod/admin closes a thread, will be the modcp URL with the session ID.

That gives the attacker the session ID allowing them to be authenticated as the moderator/admin that clsoed the thread.