It also works with version 2.0.2. Greetz, Gerben ----- Original Message ----- From: "Priamus" <priamus@antiekraak.com> To: <bugtraq@securityfocus.com> Sent: Wednesday, October 09, 2002 2:52 PM Subject: phpBB2 Showing users ip adresses > > > phpBB2 Showing users ip adresses > -------------------------------------------- > > Affected Program: phpBB2 version 2.0.0, 2.0.1, 2.0.3 > (possibly earlier versions too, but not tested) > Vendor: http://www.phpbb.com > Vendor Status: not informed yet > Discovery Date: 9 oct 2002 > > > Severity > -------- > All users can see other user's IP adres. > > > Problem > ------- > All users can see IP adresses of other users who use > an uploaded avatar. > > The problem is caused by the way phpBB2 gives every > uploaded avatar a unique file name. The IP adres is > reavealed (HEX) at the first characters of the file name. > > > Example > ------- > Filename of avatar: d094d8473ce3c4ad501ce.gif > > d094d847 is the (HEX) IP adres: 208.148.216.71 > > > Solutions > --------- > * Administrator of phpBB2 can disable upload of avatars. >
