[27380] in bugtraq
Re: phpBB2 Showing users ip adresses
daemon@ATHENA.MIT.EDU (Gerben Wijnja)
Thu Oct 10 14:36:51 2002
Message-ID: <009501c2706b$74fe9c50$1400a8c0@Pjurkje>
Reply-To: "Gerben Wijnja" <info@gerbs.net>
From: "Gerben Wijnja" <info@gerbs.net>
To: <bugtraq@securityfocus.com>
Date: Thu, 10 Oct 2002 16:43:53 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
It also works with version 2.0.2.
Greetz,
Gerben
----- Original Message -----
From: "Priamus" <priamus@antiekraak.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, October 09, 2002 2:52 PM
Subject: phpBB2 Showing users ip adresses
>
>
> phpBB2 Showing users ip adresses
> --------------------------------------------
>
> Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3
> (possibly earlier versions too, but not tested)
> Vendor: http://www.phpbb.com
> Vendor Status: not informed yet
> Discovery Date: 9 oct 2002
>
>
> Severity
> --------
> All users can see other user's IP adres.
>
>
> Problem
> -------
> All users can see IP adresses of other users who use
> an uploaded avatar.
>
> The problem is caused by the way phpBB2 gives every
> uploaded avatar a unique file name. The IP adres is
> reavealed (HEX) at the first characters of the file name.
>
>
> Example
> -------
> Filename of avatar: d094d8473ce3c4ad501ce.gif
>
> d094d847 is the (HEX) IP adres: 208.148.216.71
>
>
> Solutions
> ---------
> * Administrator of phpBB2 can disable upload of avatars.
>
