[34615] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability

daemon@ATHENA.MIT.EDU (3APA3A)
Tue Apr 20 20:28:07 2004

Date: Tue, 20 Apr 2004 16:15:48 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <1615796113.20040420161548@SECURITY.NNOV.RU>
To: Ready Response <wang@mod-x.co.uk>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20040419000129.28917.qmail@www.securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

Dear Ready Response,

--Monday, April 19, 2004, 4:01:29 AM, you wrote to bugtraq@securityfocus.com:

RR> the  users IP address in the common.php script. This issue is caused
RR> by blind trust of the X-Forwarded-For HTTP header. A remote attacker

This  issue  is very common for different BBs (for example Iconboard has
same problem), in addition to IP spoofing it's usually possible to cause
crossite  scripting  by  inserting  script  into forgery X-Forwarded-For
header.

-- 
~/ZARAZA
Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. (Лем)


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[34615] in bugtraq

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability

daemon@ATHENA.MIT.EDU (3APA3A)Tue Apr 20 20:28:07 2004

daemon@ATHENA.MIT.EDU (3APA3A)
Tue Apr 20 20:28:07 2004