phpBB Avatar Upload Arbitrary File Access

2005-02-21T07:34:02
ID OSVDB:14040
Type osvdb
Reporter AnthraX101()
Modified 2005-02-21T07:34:02

Description

Vulnerability Description

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local avatar file is specified for upload along with an arbitrary file local to the web server, which will disclose the specified file on the web server resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local avatar file is specified for upload along with an arbitrary file local to the web server, which will disclose the specified file on the web server resulting in a loss of confidentiality.

References:

Vendor URL: http://www.phpbb.com/ Security Tracker: 1013262 Secunia Advisory ID:14445 Secunia Advisory ID:14362 Related OSVDB ID: 14042 Related OSVDB ID: 14038 Related OSVDB ID: 14041 Related OSVDB ID: 14039 Other Advisory URL: http://www.idefense.com/application/poi/display?id=204&type=vulnerabilities Other Advisory URL: http://www.phpbb.com/phpBB/viewtopic.php?t=265423 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200503-02.xml CVE-2005-0259