TITLE: phpBB "Referer" Header Session ID Disclosure SECUNIA ADVISORY ID: SA18693 VERIFY ADVISORY: http://secunia.com/advisories/18693/ CRITICAL: Less critical IMPACT: Hijacking, Cross Site Scripting, Exposure of sensitive information WHERE: >From remote SOFTWARE: phpBB 2.x http://secunia.com/product/463/ DESCRIPTION: Maksymilian Arciemowicz has discovered a vulnerability in phpBB, which can be exploited by malicious people to disclose sensitive information. The problem is that the session ID is included in the "Referer" HTTP header when sending certain requests for external avatar images and certain BBcode referencing external web sites. This can e.g. be exploited to disclose the administrator's session ID by tricking the administrator into viewing a malicious user's profile containing an external avatar image. This is related to: SA16868 Successful exploitation may open up for various cross-site request forgery and cross-site scripting attacks, but requires that support for remote avatars is enabled (not default setting). The vulnerability has been confirmed in version 2.0.19 and has also been reported in prior versions. SOLUTION: Edit the source code to ensure that the session ID is not included in the "Referer" HTTP header in requests for external resources. PROVIDED AND/OR DISCOVERED BY: Maksymilian Arciemowicz ORIGINAL ADVISORY: http://securityreason.com/achievement_securityalert/31 OTHER REFERENCES: SA16868: http://secunia.com/advisories/16868/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------