[27360] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

phpBB2 Showing users ip adresses

daemon@ATHENA.MIT.EDU (Priamus)
Wed Oct 9 14:40:17 2002

Date: 9 Oct 2002 12:52:18 -0000
Message-ID: <20021009125218.7737.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Priamus <priamus@antiekraak.com>
To: bugtraq@securityfocus.com



phpBB2 Showing users ip adresses 
-------------------------------------------- 

Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3
  (possibly earlier versions too, but not tested) 
Vendor: http://www.phpbb.com 
Vendor Status: not informed yet
Discovery Date: 9 oct 2002 


Severity 
-------- 
All users can see other user's IP adres.


Problem 
------- 
All users can see IP adresses of other users who use
an uploaded avatar.

The problem is caused by the way phpBB2 gives every
uploaded avatar a unique file name. The IP adres is
reavealed (HEX) at the first characters of the file name.


Example 
------- 
Filename of avatar: d094d8473ce3c4ad501ce.gif

d094d847 is the (HEX) IP adres: 208.148.216.71


Solutions 
--------- 
* Administrator of phpBB2 can disable upload of avatars.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[27360] in bugtraq

phpBB2 Showing users ip adresses

daemon@ATHENA.MIT.EDU (Priamus)Wed Oct 9 14:40:17 2002

daemon@ATHENA.MIT.EDU (Priamus)
Wed Oct 9 14:40:17 2002