Info

Disclosure

Feb 21, 2005

Discovery

Feb 09, 2005

Dates

Exploit

Feb 21, 2005

Solution

Unknown

Description

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local avatar file is specified for upload along with an arbitrary file local to the web server, which will disclose the specified file on the web server resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 2.0.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

phpBB Group	phpBB	2.0.11
		2.0.10
		2.0.9
		2.0.8
		2.0.7
		2.0.6
		2.0.5
		2.0.4
		2.0.3
		2.0.2
		2.0.1
		2.0.0

References

Security Tracker: 1013262
Related OSVDB ID: 14038 14039 14041 14042
Secunia Advisory ID: 14362 14445
CVE ID: 2005-0259 (see also: NVD)
Other Advisory URL: http://security.gentoo.org/glsa/glsa-200503-02.xml
http://www.idefense.com/application/poi/display?id=204&type=vulnerabilities
http://www.phpbb.com/phpBB/viewtopic.php?t=265423
Vendor URL: http://www.phpbb.com/

Credit

AnthraX101 -

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

phpBB Group

phpBB

References

Credit