[UNIX] phpBB IP Spoofing Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 05/02/04
- Previous message: SecuriTeam: "[UNIX] paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 May 2004 11:26:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpBB IP Spoofing Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.securiteam.com/unixfocus/phpBB> phpBB is "a high powered,
fully scalable, and highly customizable open-source bulletin board
package. phpBB has a user-friendly interface, simple and straightforward
administration panel, and helpful FAQ. Based on the powerful PHP server
language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
database servers, phpBB is the ideal free community solution for all web
sites."
A vulnerability in the PHP code that comprises the system makes it
possible for any user to effectively fool the system into believing their
IP address is different than their actual IP address. It effectively
enables users to forge their IP address.
DETAILS
Vulnerable Systems:
* phpBB version 2.0.8a and prior
The problematic code section lies in the `common.php' script. The code
that obtains the IP address of the user connecting and posting on the
board blindly trusts the information passed in the X-Forwarded-For HTTP
header, which is generated by the browser (client side).
Therefore, a user may forge a header with a false IP address and the phpBB
system could never tell the difference. The direct consequences of this
are that a user can post anonymously, impersonate another user if that
user's IP is known, bypass restrictions on IP placed by the administrators
and more.
The code in common.php:
//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) )
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) $HTTP_ENV_VARS['REMOTE_ADDR'] :
$REMOTE_ADDR );
The code obtains the user's IP address. However, if the X-Forwarded-For
HTTP header is present, the IP will be taken from there instead.
ADDITIONAL INFORMATION
The information has been provided by <mailto:wang@mod-x.co.uk> Ready
Response.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
