Not every form has a CSRF token associated with it. The search form is one that doesn't. Forms that result in an action that represents a specific user are protected with a CSRF token. Things like login, posting, private messages, all ACP actions, etc. are protected. In the HTML source, you will see something like this:
Code: Select all
<input type="hidden" name="form_token" value="abcdefghijklmnopqrstuvwxyz1234567890" />
In the phpBB template code, this can look like:
If you feel that the search forms should have a CSRF token, you could put in a bug ticket for hardening them: https://tracker.phpbb.com/browse/PHPBB3
lbowner wrote: ↑
Thu Sep 19, 2019 9:49 am
In addition a blind NoSQL vulnerability was found in search.php.
If you believe you have found a security issue, please report it to the Security tracker: https://tracker.phpbb.com/browse/SECURITY
If you're using an automated vulnerability scanner, be forewarned that they are notorious for reporting false positives.