作者 主題: 雖是 phpBB2的漏洞但是對我們應該沒影響  (閱讀 6462 次)

0 會員 與 1 訪客 正在閱讀本文。

哈克

  • 可愛的小學生
  • *
  • 文章數: 18
    • 檢視個人資料
今天 securityFocus 的最新一期電子報刊出新的安全漏洞 免不了 一堆常客上榜了
比較讓我驚訝的是 phpBB2也榜上有名
還好仔細一看,只是關於提共會員上傳圖片功能會造成漏洞,不過還是小心為上
目前尚無修正程式
本文如下

34. PHPBB2 Avatar Images Information Disclosure Vulnerability BugTraq ID: 5923
Remote: Yes
Date Published: Oct 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5923
Summary:

phpBB2 is an open-source web forum application that is written in PHP and backended by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

It has been reported that phpBB2 reveals a user's IP address. This vulnerability is due to phpBB2's file naming scheme for avatar files. Avatar files are typically GIF images files uploaded by users that wish to personalize their posts.

When a user elects to upload an avatar file to a system using phpBB2, the system will save the file with a random name. This random name consists of the user's IP address, encoded in hexadecimal values, followed by other characters.

A malicious attacker can exploit this vulnerability to find out IP addresses of the users of the system hosting phpBB2. This information may be used by attackers to launch attacks against users of the system hosting phpBB2 forums.

This vulnerability was reported for phpBB2 2.0.0 to 2.0.3. Other versions may also be affected.

duncanlo

  • SA 苦力組
  • 俺是博士!
  • *****
  • 文章數: 7311
    • 檢視個人資料
雖是 phpBB2的漏洞但是對我們應該沒影響
« 回覆 #1 於: 2002-10-17 11:22 »
好像有提供上傳功能,
很多都有安全性的問題,
像nuke的DOWNLOAD區也是!