phpBB common.php IP Spoofing Access Bypass

2004-04-18T09:15:10
ID OSVDB:7815
Type osvdb
Reporter Wang(srr@readyresponse.org)
Modified 2004-04-18T09:15:10

Description

Vulnerability Description

phpBB contains a flaw that may allow a remote attacker to circumvent administrative user management. The issue is triggered by specifying a spoofed IP address in the 'HTTP_X_FORWARDED_FOR' header, which may allow a remote attacker to bypass access restrictions resulting in a loss of integrity.

Solution Description

Upgrade to version 2.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpBB contains a flaw that may allow a remote attacker to circumvent administrative user management. The issue is triggered by specifying a spoofed IP address in the 'HTTP_X_FORWARDED_FOR' header, which may allow a remote attacker to bypass access restrictions resulting in a loss of integrity.

References:

Vendor URL: http://www.phpbb.com/ Vendor Specific Advisory URL Secunia Advisory ID:11434 Related OSVDB ID: 7810 Related OSVDB ID: 7811 Related OSVDB ID: 7809 Related OSVDB ID: 7812 Related OSVDB ID: 7813 Related OSVDB ID: 7808 Related OSVDB ID: 7814 Other Advisory URL: http://www.net-security.org/vuln.php?id=3394 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-04/0224.html ISS X-Force ID: 15909 Bugtraq ID: 10170