Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10035

ACP template edit feature allows to read any files on webserver and to upload/execute any script on it

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: ACP
    • Labels:
      None

      Description

      When you're going to edit any template file with ACP/Styles/Templates -> edit feature, you can access any files on webserver by replacing the value for name=template_file in form input tag with any path going upwards, like

      ..../..../..../index.php

      and so on.
      As a result you can read any files (imagine config.php) as well as write any custom code (including shells/etc) into writable directories like /cache.
      The problematic code is in includes/acp/acp_styles.php, function edit_template():

      // make sure template_file path doesn't go upwards
      $template_file = str_replace('..', '.', $template_file);

      which doesn't really make its job since ..../ is being replaced with ../ and hence allows you to go directory upwards anyway.

      Never let your co-admins (who doesn't have founder permissions / ftp access) to use ACP template edit feature until this bug is unfixed

        Attachments

          Activity

            People

            • Assignee:
              rxu rxu
              Reporter:
              rxu rxu
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: