All Projects

The application allows any user to register an account with any email address without requiring email verification or activation. Furthermore, the system allows the registration of high-value usernames (e.g., administrator) and immediately grants access to the platform.
Because the "Forgot Password" and "Activation" systems are currently non-functional, an attacker can effectively "brick" or "squat" on any email address, preventing legitimate users from ever joining the platform or recovering their intended identities.

Technical Details
A. Lack of Registration Verification
The registration endpoint does not send a verification link to the provided email. Upon submission of the registration form, the user is immediately authenticated into the system.
B. Account Pre-Occupation (Squatting)
An attacker can register using a victim's email address (e.g., real-admin@company.com). Because the system marks this email as "in use," the legitimate owner is blocked from registering.
C. Denial of Service (Recovery Loop)
The "Forgot Password" function fails to send reset links to inactivated accounts. Since there is no way for a user to "activate" an account they didn't create, the email remains permanently locked in a "zombie" state within the database.

## impact
Identity Impersonation: Attackers can claim usernames that imply authority (Admin, Support, Moderator), which can be used for social engineering/phishing against other users.
Permanent User Lockout: Legitimate users are prevented from using their own email addresses on the platform.
User Enumeration: The registration form can be used to confirm if a specific person (via email) is already a member of the board.

## remediations

Enable Mandatory Activation: Configure phpBB to require "User Activation" via email before allowing a login session.
Disallowed Usernames: Add admin, administrator, and webmaster to the "Disallowed Usernames" list in the phpBB Administration Control Panel (ACP).
Fix SMTP Configuration: Ensure the server is correctly configured to send outgoing mail so legitimate users can utilize the "Forgot Password" tool to reclaim squatted accounts.

Video demonstration is attached below

regards..

A significant HTML Injection vulnerability exists in phpPgAdmin 7.13.0. The application fails to sanitize the server parameter before rendering it within the administrative dashboard's server list. Testing confirmed that an attacker can inject arbitrary HTML tags to manipulate the Document Object Model (DOM), break the table structure, and redefine the information displayed to the administrator. This flaw directly compromises the Integrity of the management interface.
its explained in CVE ID: CVE-2025-60796 Which matches the phpPgAdmin version

STEP - TO - REPRODUCE

1-go to `https://phppgadmin.alwaysdata.com/phppgadmin/`
2- login with admin/admin ( misconfiguration using default creds been reported before and ignored)
3- https://phppgadmin.alwaysdata.com/phppgadmin/sequences.php?server= <img%20src='aaa'%20onerror=alert(1)>
4- navigate to `https://phppgadmin.alwaysdata.com/phppgadmin/servers.php` and observe that new host been added with the payload in html format which means it was rendered succeffuly this open up the door for many other attacks i didn't try to exploit it further

#impact

Loss of UI Integrity: Administrators can no longer trust the data displayed in the "Host," "Port," or "User" columns, as these can be rewritten via a crafted URL.

Misinformation Attacks: Attackers can label legitimate production servers as "Offline" or "Testing" to trick administrators into performing destructive maintenance.

Phishing/Social Engineering: The ability to inject clickable links and styled text allows for sophisticated internal phishing attacks within the trusted application domain.

Foundation for XSS: While this report focuses on HTML Injection, the lack of sanitization is the direct precursor to Cross-Site Scripting (XSS), as evidenced by successful reflection of tags like <svg> and <img>.

a recommendations can be suggested after confirming the issue

regards..

Hi security team , the subdomain phppgadmin.alwaysdata.com specifically this like 'https://phppgadmin.alwaysdata.com/phppgadmin/login.php?server='

It grant access for default credentials admin:admin which then prompt the user into a login page for internal postgresql servrt , i didnt try to brute force it but this one attack vector among others that can be used to access the database , its essential to hide such a subdomains from public access and move the server into internal network subnet or restrict access using web-app-firewalls that returns 403 based on certain rules theres too many ways to inhance the security of this subdomain .

I hope you found this report helpful in securing your assets

Regards..