Bugtraq mailing list archives

Re: phpBB2 Showing users ip adresses

From: "Gerben Wijnja" <info () gerbs net>
Date: Thu, 10 Oct 2002 16:43:53 +0200

It also works with version 2.0.2.

Greetz,
Gerben

----- Original Message ----- 
From: "Priamus" <priamus () antiekraak com>
To: <bugtraq () securityfocus com>
Sent: Wednesday, October 09, 2002 2:52 PM
Subject: phpBB2 Showing users ip adresses



phpBB2 Showing users ip adresses 
-------------------------------------------- 

Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3
  (possibly earlier versions too, but not tested) 
Vendor: http://www.phpbb.com 
Vendor Status: not informed yet
Discovery Date: 9 oct 2002 


Severity 
-------- 
All users can see other user's IP adres.


Problem 
------- 
All users can see IP adresses of other users who use
an uploaded avatar.

The problem is caused by the way phpBB2 gives every
uploaded avatar a unique file name. The IP adres is
reavealed (HEX) at the first characters of the file name.


Example 
------- 
Filename of avatar: d094d8473ce3c4ad501ce.gif

d094d847 is the (HEX) IP adres: 208.148.216.71


Solutions 
--------- 
* Administrator of phpBB2 can disable upload of avatars.

Current thread:

phpBB2 Showing users ip adresses Priamus (Oct 09)
- Re: phpBB2 Showing users ip adresses Gerben Wijnja (Oct 10)
- <Possible follow-ups>
- Re: phpBB2 Showing users ip adresses nick84 (Oct 14)