Invision Power Board Crafted Personal Photo Path Disclosure

2004-03-05T00:00:00
ID OSVDB:6728
Type osvdb
Reporter Shaun Colley(shaunige@yahoo.co.uk)
Modified 2004-03-05T00:00:00

Description

Vulnerability Description

Invision Power Board contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when suppling an invalid character in the upload field for "Change Personal Photo" option, which will disclose the physical path of the Web server, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Invision Power Board contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when suppling an invalid character in the upload field for "Change Personal Photo" option, which will disclose the physical path of the Web server, resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/forum/index.php?act=UserCP&CODE=photo

References:

Vendor URL: http://www.invisionboard.com/ Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107850510428567&w=2 ISS X-Force ID: 15400 CVE-2004-0355 Bugtraq ID: 9810