phpBB Avatar File IP Address Disclosure

2002-10-09T00:00:00
ID OSVDB:4267
Type osvdb
Reporter Priamus(priamus@antiekraak.com)
Modified 2002-10-09T00:00:00

Description

Vulnerability Description

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user posts an avatar occurs, which will disclose the user's IP address resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: disable the ability to upload avatars

Short Description

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user posts an avatar occurs, which will disclose the user's IP address resulting in a loss of confidentiality.

Manual Testing Notes

Example: Filename of avatar: d094d8473ce3c4ad501ce.gif d094d847 is the (HEX) IP adres: 208.148.216.71

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-10/0125.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-10/0145.html ISS X-Force ID: 10323 Bugtraq ID: 5923