Home page logo

bugtraq logo Bugtraq mailing list archives

phpBB2 Showing users ip adresses
From: Priamus <priamus () antiekraak com>
Date: 9 Oct 2002 12:52:18 -0000

phpBB2 Showing users ip adresses 

Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3
  (possibly earlier versions too, but not tested) 
Vendor: http://www.phpbb.com 
Vendor Status: not informed yet
Discovery Date: 9 oct 2002 

All users can see other user's IP adres.

All users can see IP adresses of other users who use
an uploaded avatar.

The problem is caused by the way phpBB2 gives every
uploaded avatar a unique file name. The IP adres is
reavealed (HEX) at the first characters of the file name.

Filename of avatar: d094d8473ce3c4ad501ce.gif

d094d847 is the (HEX) IP adres:

* Administrator of phpBB2 can disable upload of avatars.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]