[40401] in bugtraq
phpBB 2.0.17 remote avatar size bug
daemon@ATHENA.MIT.EDU (SmOk3)
Tue Sep 20 16:00:35 2005
Message-ID: <1f9bad3a05092003566bd333b9@mail.gmail.com>
Date: Tue, 20 Sep 2005 11:56:07 +0100
From: SmOk3 <smok3f00@gmail.com>
Reply-To: SmOk3 <smok3f00@gmail.com>
To: bugtraq@securityfocus.com
In-Reply-To: <1f9bad3a05092003552d33939e@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Title: phpBB remote avatar size bug
Software: phpBB 2.0.17 (and maybe prior versions)
Discovered by: David Sopas Ferreira < david at systemsecure dot org >
Original link: http://www.systemsecure.org/ssforum/viewtopic.php?t=272
» Email from phpBB «
Your report "Avatar size" has been closed because your reported issue is
invalid.
Classifying a report as invalid can have various reasons, most of the time
the report is incomplete.
If you think your report has been handled incorrecly, please submit
another report at http://www.phpbb.com/security/index.php.
Comment added by team member:
This isn't a security problem. You can do the same thing with a standard
webpage. As for checking remote avatar size, there are several inherit
problems with that, which I won't detail here. As this isn't a security
problem, closing.
» End Of Mail - «
» My personnal opinion:
I think this is a minor security problem. A malicious user can use larger images
(for example: 1280px - 1024px) to almost damage the entire view of a
topic. This, to
be done, has to have Remote Avatar selected.
So, if the admins don't consider this a minor security problem, what
is it? A "special"
feature?
I don't want to criticize the phpBB coders, but why is it dificult to
check out the size
of a image and telling the user that that size of image it's not
possible, or even block the
size on the viewtopic table, something like that.
» Possible solution:
Disable remote avatar or just dig in the code to set the image size you want.
