• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PHPBB HTTP Referer Information Disclosure Vulnerability



The phpBB application is prone to an information-disclosure vulnerability. This issue is due to a failure in the application to properly secure the session ID when accessing an external avatar image or external BBCode image.

An attacker can exploit this issue to retrieve the session ID of a currently active victim user.

Successful exploitation of this issue requires that the vulnerable site be configured to use external avatar images; this is not the default setting.