phpBB2 Showing users ip adresses

From: Priamus (priamusat_private)
Date: Wed Oct 09 2002 - 05:52:18 PDT

Next message: hish _ hish: "upload malicious file in VBZooM forums"

Previous message: securma massine: "new vulnerability inPowerFTP Personal FTP Server"
Next in thread: Gerben Wijnja: "Re: phpBB2 Showing users ip adresses"
Reply: Gerben Wijnja: "Re: phpBB2 Showing users ip adresses"
Reply: nick84at_private: "Re: phpBB2 Showing users ip adresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) phpBB2 Showing users ip adresses -------------------------------------------- Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3 (possibly earlier versions too, but not tested) Vendor: http://www.phpbb.com Vendor Status: not informed yet Discovery Date: 9 oct 2002 Severity -------- All users can see other user's IP adres. Problem ------- All users can see IP adresses of other users who use an uploaded avatar. The problem is caused by the way phpBB2 gives every uploaded avatar a unique file name. The IP adres is reavealed (HEX) at the first characters of the file name. Example ------- Filename of avatar: d094d8473ce3c4ad501ce.gif d094d847 is the (HEX) IP adres: 208.148.216.71 Solutions --------- * Administrator of phpBB2 can disable upload of avatars.

Next message: hish _ hish: "upload malicious file in VBZooM forums"
Previous message: securma massine: "new vulnerability inPowerFTP Personal FTP Server"
Next in thread: Gerben Wijnja: "Re: phpBB2 Showing users ip adresses"
Reply: Gerben Wijnja: "Re: phpBB2 Showing users ip adresses"
Reply: nick84at_private: "Re: phpBB2 Showing users ip adresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 11:39:24 PDT