#52 Big Security Hole in whoispopup.php3

open
nobody
None
5
2012-09-14
2002-06-02
Anonymous
No

phpmychat version : 0.14.5
HTTPServer : all i guess
OS : all supportet i guess

If someone enters following in his Browser he would
be able to discover IP Adresses of Chatusers.

http://Serverurl/chat/whois_popup.php3?
L=german&power=all&U=cobain&R=Roomname

I found this Bug while developing a special userlist
together with usermessaging System.

Solution may one of the following 2 :
1. Ensure that only registered Users could use the
whois function
or
2. ensure that the whois function could only be
called from within the chat.

for questions on this issue email to
vossnospam@netway.at

(Remove nopsam from address :-) to ensure
receiving of your question)

Discussion


Anonymous


Cancel   Add attachments