Title: PHPBB HTTP Referer Information Disclosure Vulnerability
Severity: MODERATE
Description:
Implemented in PHP, phpBB is a web bulletin-board application.
The phpBB application is prone to an information-disclosure vulnerability. The application fails to properly secure the session ID when accessing an external avatar image or external BBCode image.
The problem presents itself when a victim user follows an external avatar image link or BBCode IMG tag. The session ID is transmitted as part of the HTTP referer, resulting in the disclosure of privileged information.
An attacker can exploit this issue to retrieve the session ID of a currently active victim user.
Successful exploitation of this issue requires that the vulnerable site be configured to use external avatar images; this is not the default setting.
Affected Products:
- Debian Linux 3.1.0
- Debian Linux 3.1.0 alpha
- Debian Linux 3.1.0 arm
- Debian Linux 3.1.0 hppa
- Debian Linux 3.1.0 ia-32
- Debian Linux 3.1.0 ia-64
- Debian Linux 3.1.0 m68k
- Debian Linux 3.1.0 mips
- Debian Linux 3.1.0 mipsel
- Debian Linux 3.1.0 ppc
- Debian Linux 3.1.0 s/390
- Debian Linux 3.1.0 sparc
- phpBB Group phpBB 2.0.1
- phpBB Group phpBB 2.0.10
- phpBB Group phpBB 2.0.11
- phpBB Group phpBB 2.0.12
- phpBB Group phpBB 2.0.13
- phpBB Group phpBB 2.0.14
- phpBB Group phpBB 2.0.15
- phpBB Group phpBB 2.0.16
- phpBB Group phpBB 2.0.17
- phpBB Group phpBB 2.0.18
- phpBB Group phpBB 2.0.19
- phpBB Group phpBB 2.0.2
- phpBB Group phpBB 2.0.3
- phpBB Group phpBB 2.0.4
- phpBB Group phpBB 2.0.5
- phpBB Group phpBB 2.0.6
- phpBB Group phpBB 2.0.6 c
- phpBB Group phpBB 2.0.6 d
- phpBB Group phpBB 2.0.7
- phpBB Group phpBB 2.0.7 a
- phpBB Group phpBB 2.0.8
- phpBB Group phpBB 2.0.8 a
- phpBB Group phpBB 2.0.9
References:
- Berliner: RE: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
- Maksymilian Arciemowicz: RE: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
- Maksymilian Arciemowicz: phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
- phpBB: phpBB Homepage
