phpBB3

Redirect() fails with directory traversal

[][]

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 3.0.6
  • Fix Version/s: 3.0.8-RC1
  • Component/s: Login
  • Labels:
    None
  • Environment:
    PHP Environment: All
    Database: All
  • phpBB Import Key:

Description

This bug is not realized in a vanilla phpBB install, but ...

Scenario:
MOD has a database installer located at /install_awsm_mod/index.php. That file contains a call to login_box() in the event that the user is not logged in.
So build_url() will create S_LOGIN_ACTION as ../ucp.php?redirect=urlencode(../install_awsm/mod/index.php)

So ucp.php passes this into meta_refresh(), which in turn calls redirect(). Redirect eventually calls 

$page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($pathinfo['dirname'])));

Which returns FALSE. Why? $pathinfo['dirname'] does not exist. Why? 
print($pathinfo['dirname']); // displays ../install/install_awsm_mod/index.php

So of course, being at /ucp.php, "../" takes us out of the phpBB root, and into no-man's land.

The resulting redirect is 

http://localhost/phpBB3/../../../../../index.php?&sid=258a07f66530b7fcedfe6c9c10bbcfd2

(the exact number of ../ depends on how many directories from / the phpBB root is.)
Browsers interpret this as "redirect to domain root", so http://localhost/ loads in error (in my case).

Ideally, the redirect would work as planned, but at least a somewhat better case would be to return to the phpBB Index page.

Issue Links

Duplicate
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
A_Jelly_Doughnut added a comment - 22/Jan/10 5:10 PM

Proposed patch:

Show
A_Jelly_Doughnut added a comment - 22/Jan/10 5:10 PM Proposed patch:
Hide
Permalink
Andreas Fischer added a comment - 04/Mar/10 5:39 PM

r10536 is currupted, you cannot use "break;" there, since there is no loop. "return;", maybe?

Show
Andreas Fischer added a comment - 04/Mar/10 5:39 PM r10536 is currupted, you cannot use "break;" there, since there is no loop. "return;", maybe?
Hide
Permalink
A_Jelly_Doughnut added a comment - 09/Mar/10 4:00 PM

Another test case from nickvergessen: http://www.phpbb.com/bugs/phpbb3/58345

Show
A_Jelly_Doughnut added a comment - 09/Mar/10 4:00 PM Another test case from nickvergessen: http://www.phpbb.com/bugs/phpbb3/58345
Meik Sievertsen made changes - 26/Mar/10 8:10 PM
Field Original Value New Value
issue.field.phpbbimportkey 56965 19103
Meik Sievertsen made changes - 26/Mar/10 9:07 PM
Workflow jira [ 19175 ] phpbb [ 19571 ]
A_Jelly_Doughnut made changes - 27/Mar/10 4:06 PM
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 3.0.8 [ 10034 ]
Resolution Fixed [ 1 ]
Nils Adermann made changes - 03/Apr/10 8:08 PM
Workflow phpbb [ 19571 ] phpBB Full Tracker Workflow 2 [ 33701 ]
Andreas Fischer made changes - 07/Apr/10 3:58 PM
Priority Blocker [ 1 ]
Fix Version/s 3.0.8-RC1 [ 10051 ]
Fix Version/s 3.0.8 [ 10034 ]
Andreas Fischer made changes - 07/Apr/10 4:00 PM
Priority Blocker [ 1 ] Major [ 3 ]
Andreas Fischer made changes - 22/Apr/10 12:37 PM
Resolution Fixed [ 1 ]
Status Unverified Fix [ 5 ] Open [ 1 ]
Andreas Fischer made changes - 22/Apr/10 12:39 PM
Link This issue duplicates PHPBB3-9561 [ PHPBB3-9561 ]
Andreas Fischer made changes - 22/Apr/10 12:40 PM
Link This issue duplicates PHPBB3-9561 [ PHPBB3-9561 ]
Andreas Fischer made changes - 22/Apr/10 12:40 PM
Link This issue is duplicated by PHPBB3-9561 [ PHPBB3-9561 ]
Hide
Permalink
A_Jelly_Doughnut added a comment - 13/Jun/10 3:57 AM

I cannot reproduce the problem, and no one has said they can either in a large number of weeks, so I'm re-closing the ticket.

Show
A_Jelly_Doughnut added a comment - 13/Jun/10 3:57 AM I cannot reproduce the problem, and no one has said they can either in a large number of weeks, so I'm re-closing the ticket.
A_Jelly_Doughnut made changes - 13/Jun/10 3:57 AM
Status Open [ 1 ] Unmerged Fix [ 10003 ]
A_Jelly_Doughnut made changes - 13/Jun/10 3:58 AM
Status Unmerged Fix [ 10003 ] Closed [ 6 ]

People

Vote (0)
Watch (2)

Dates

  • Created:
    22/Jan/10 5:06 PM
    Updated:
    13/Jun/10 3:58 AM
    Resolved:
    13/Jun/10 3:58 AM
[]
Atlassian JIRA (v4.2.4-b591#591) | Report a problem
Powered by a free Atlassian JIRA open source license for phpBB Ltd.. Try JIRA - bug tracking software for your team.