RE: phpBB 2.0.17 remote avatar size bug

• Previous message: Thierry Carrez: "[ GLSA 200509-15 ] util-linux: umount command validation error"
• In reply to: SmOk3: "phpBB 2.0.17 remote avatar size bug"
• Next in thread: Peter Kieser: "Re: phpBB 2.0.17 remote avatar size bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Bug Traq" <bugtraq@securityfocus.com>
Date: Tue, 20 Sep 2005 17:06:52 -0400

I think some people just try to hard to find problems with PHPBB. Yes, this
is a "bug", but it's FAR from a security issue.

LOL.

-----Original Message-----
From: SmOk3 [mailto:smok3f00@gmail.com]
Sent: Tuesday, September 20, 2005 6:56 AM
To: bugtraq@securityfocus.com
Subject: phpBB 2.0.17 remote avatar size bug

Title: phpBB remote avatar size bug
Software: phpBB 2.0.17 (and maybe prior versions)
Discovered by: David Sopas Ferreira < david at systemsecure dot org >
Original link: http://www.systemsecure.org/ssforum/viewtopic.php?t=272

» Email from phpBB «

Your report "Avatar size" has been closed because your reported issue is
invalid.
Classifying a report as invalid can have various reasons, most of the time
the report is incomplete.

If you think your report has been handled incorrecly, please submit
another report at http://www.phpbb.com/security/index.php.

Comment added by team member:

This isn't a security problem. You can do the same thing with a standard
webpage. As for checking remote avatar size, there are several inherit
problems with that, which I won't detail here. As this isn't a security
problem, closing.

» End Of Mail - «

» My personnal opinion:

I think this is a minor security problem. A malicious user can use larger
images
(for example: 1280px - 1024px) to almost damage the entire view of a
topic. This, to
be done, has to have Remote Avatar selected.

So, if the admins don't consider this a minor security problem, what
is it? A "special"
feature?

I don't want to criticize the phpBB coders, but why is it dificult to
check out the size
of a image and telling the user that that size of image it's not
possible, or even block the
size on the viewtopic table, something like that.

» Possible solution:

Disable remote avatar or just dig in the code to set the image size you
want.

• Previous message: Thierry Carrez: "[ GLSA 200509-15 ] util-linux: umount command validation error"
• In reply to: SmOk3: "phpBB 2.0.17 remote avatar size bug"
• Next in thread: Peter Kieser: "Re: phpBB 2.0.17 remote avatar size bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages phpBB 2.0.17 remote avatar size bug ... phpBB 2.0.17 ... Classifying a report as invalid can have various reasons, ... As for checking remote avatar size, ... I think this is a minor security problem. ... (Bugtraq) [Full-disclosure] phpBB 2.0.17 remote avatar size bug ... phpBB 2.0.17 ... Classifying a report as invalid can have various reasons, ... As for checking remote avatar size, ... I think this is a minor security problem. ... (Full-Disclosure) [UNIX] PHPBB BBcode Process Vulnerability (DoS) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WSS has found a vulnerability in <http://www.phpbb.com/> phpBB, ... Will cause the following data to be saved to the database: ... whitecell$ mysql -uuser -ppasswd ... (Securiteam) [UNIX] phpBB Security Hole Leads to Root Compromise ... phpBB Security Hole Leads to Root Compromise ... which essentially allows administrative access to the bulletin ... certain PHP variables submitted through a URL can reach an SQL ... (Securiteam) [Fwd: phpBB 2.0.17 released] ... Subject: phpBB 2.0.17 released ... phpBB Group announces the release of phpBB 2.0.17, the "no, we did not ... security since we do not introduce new features into the 2.0.x codebase. ... reporting 2.0.x bugs within the next days. ... (Bugtraq)