Home page logo
/

bugtraq logo Bugtraq mailing list archives

phpBB2 Showing users ip adresses
From: Priamus <priamus () antiekraak com>
Date: 9 Oct 2002 12:52:18 -0000



phpBB2 Showing users ip adresses 
-------------------------------------------- 

Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3
  (possibly earlier versions too, but not tested) 
Vendor: http://www.phpbb.com 
Vendor Status: not informed yet
Discovery Date: 9 oct 2002 


Severity 
-------- 
All users can see other user's IP adres.


Problem 
------- 
All users can see IP adresses of other users who use
an uploaded avatar.

The problem is caused by the way phpBB2 gives every
uploaded avatar a unique file name. The IP adres is
reavealed (HEX) at the first characters of the file name.


Example 
------- 
Filename of avatar: d094d8473ce3c4ad501ce.gif

d094d847 is the (HEX) IP adres: 208.148.216.71


Solutions 
--------- 
* Administrator of phpBB2 can disable upload of avatars.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]