lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OOENJIBPPHCBLEFOABCKCELGDDAA.admin@capitalwebhost.net>
Date: Tue, 20 Sep 2005 17:06:52 -0400
From: "Sean Sullivan" <admin@...italwebhost.net>
To: "Bug Traq" <bugtraq@...urityfocus.com>
Subject: RE: phpBB 2.0.17 remote avatar size bug


I think some people just try to hard to find problems with PHPBB.  Yes, this
is a "bug", but it's FAR from a security issue.

LOL.

-----Original Message-----
From: SmOk3 [mailto:smok3f00@...il.com]
Sent: Tuesday, September 20, 2005 6:56 AM
To: bugtraq@...urityfocus.com
Subject: phpBB 2.0.17 remote avatar size bug


Title: phpBB remote avatar size bug
Software: phpBB 2.0.17 (and maybe prior versions)
Discovered by: David Sopas Ferreira < david at systemsecure dot org >
Original link: http://www.systemsecure.org/ssforum/viewtopic.php?t=272


» Email from phpBB «

Your report "Avatar size" has been closed because your reported issue is
invalid.
Classifying a report as invalid can have various reasons, most of the time
the report is incomplete.

If you think your report has been handled incorrecly, please submit
another report at http://www.phpbb.com/security/index.php.


Comment added by team member:

This isn't a security problem. You can do the same thing with a standard
webpage. As for checking remote avatar size, there are several inherit
problems with that, which I won't detail here. As this isn't a security
problem, closing.

» End Of Mail - «


» My personnal opinion:

I think this is a minor security problem. A malicious user can use larger
images
(for example: 1280px - 1024px) to almost damage the entire view of a
topic. This, to
be done, has to have Remote Avatar selected.

So, if the admins don't consider this a minor security problem, what
is it? A "special"
feature?

I don't want to criticize the phpBB coders, but why is it dificult to
check out the size
of a image and telling the user that that size of image it's not
possible, or even block the
size on the viewtopic table, something like that.


» Possible solution:

Disable remote avatar or just dig in the code to set the image size you
want.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ