Bugtraq mailing list archives
Re: phpBB2 Showing users ip adresses
From: "Gerben Wijnja" <info () gerbs net>
Date: Thu, 10 Oct 2002 16:43:53 +0200
It also works with version 2.0.2. Greetz, Gerben ----- Original Message ----- From: "Priamus" <priamus () antiekraak com> To: <bugtraq () securityfocus com> Sent: Wednesday, October 09, 2002 2:52 PM Subject: phpBB2 Showing users ip adresses
phpBB2 Showing users ip adresses -------------------------------------------- Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3 (possibly earlier versions too, but not tested) Vendor: http://www.phpbb.com Vendor Status: not informed yet Discovery Date: 9 oct 2002 Severity -------- All users can see other user's IP adres. Problem ------- All users can see IP adresses of other users who use an uploaded avatar. The problem is caused by the way phpBB2 gives every uploaded avatar a unique file name. The IP adres is reavealed (HEX) at the first characters of the file name. Example ------- Filename of avatar: d094d8473ce3c4ad501ce.gif d094d847 is the (HEX) IP adres: 208.148.216.71 Solutions --------- * Administrator of phpBB2 can disable upload of avatars.
Current thread:
- phpBB2 Showing users ip adresses Priamus (Oct 09)
- Re: phpBB2 Showing users ip adresses Gerben Wijnja (Oct 10)
- <Possible follow-ups>
- Re: phpBB2 Showing users ip adresses nick84 (Oct 14)